Re: post to bugtraq about "session fixation"

["Steven M. Christey" <coley () linus mitre org>]

securityarchitect () hush com said:

> This is nothing new (although a good write-up).

IMHO, we need more "good write-ups" on most vulnerability classes.
Research doesn't have to be 100% original to be important.  When
Clowes/etc. released the Study in Scarlet paper, some PHP bugs were
"nothing new," but the paper crystalizes many of the major issues in
PHP applications that we're seeing over and over again (thanks to the
diligence of people like frog man ;-) The same thing applies to
aleph1's buffer overflow paper, the Newsham/etc. study on format
strings, and so on.  But where is the "definitive" paper on directory
traversal?  Canonicalization?  The general "malformed input" problem?
A taxonomy of configuration errors? etc.  There are still major gaps.

Such papers can form the basic "literature" for this emerging field of
vulnerability research.  They take scattered knowledge, none of which
is known to everyone, and collect it into a single source to form a
basic but solid understanding of the problem.  (As an example of
scattered knowledge, I'm still wondering if anybody else thinks that
the vulnerability in the obscure AlienForm2 product was a new type of
canonicalization issue - though maybe *that's* "nothing new," but it's
new to me).

- Steve