Full Disclosure mailing list archives
Re: Netvolution referer header SQL injection vulnerability
From: Dimitris Glynos <dimitris () census gr>
Date: Tue, 04 Oct 2011 02:30:08 +0300
On 10/03/2011 01:47 PM, Dimitris Glynos wrote:
As header field values are normally not included in HTTP transaction logs, an attack based on this vulnerability may go unnoticed by web server administrators.
A correction: Although most header fields are not normally included in HTTP transaction logs, the referer one usually is. Hence the above argument holds true only for web servers with minimal logging setups (e.g. IIS 6.0 using IIS Log File Format). Cheers, Dimitris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Netvolution referer header SQL injection vulnerability Dimitris Glynos (Oct 03)
- Re: Netvolution referer header SQL injection vulnerability Dimitris Glynos (Oct 04)