Full Disclosure mailing list archives

Re: Referers Are Evil

From: Nicolas Rachinsky <fd-0 () ml turing-complete org>
Date: Sun, 7 Aug 2005 22:54:55 +0200

* Vincent van Scherpenseel <mailinglists () vanscherpenseel nl> [2005-08-07 22:41 +0200]:

On Sunday 07 August 2005 20:27, Bipin Gautam wrote:

BUT, i remember testing it on PHPBB back then, i don't think you can
take over the session on that! (i may be wrong). YAP, but there are
LOTS of sites & applications out there from which you can easily steal
away sessions.


Well, if the client's IP address used for a given session is stored in a 
session variable  it's not possible to steal an active session from another 
IP address. That's probably their way of working around this problem.


What if the attacker is behind the same proxy?

Nicolas

-- 
http://www.rachinsky.de/nicolas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Referers Are Evil Ripe Md (Aug 07)
- Re: Referers Are Evil Bipin Gautam (Aug 07)
  - Re: Referers Are Evil Vincent van Scherpenseel (Aug 07)
    - Re: Referers Are Evil Nicolas Rachinsky (Aug 07)
    - Re: Referers Are Evil Steve Friedl (Aug 07)
    - Re: Referers Are Evil Tim (Aug 07)
- Re: Referers Are Evil Brian Dessent (Aug 07)