WebApp Sec mailing list archives
Re: post to bugtraq about "session fixation"
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 19 Dec 2002 17:37:55 -0500 (EST)
securityarchitect () hush com said:
This is nothing new (although a good write-up).
IMHO, we need more "good write-ups" on most vulnerability classes. Research doesn't have to be 100% original to be important. When Clowes/etc. released the Study in Scarlet paper, some PHP bugs were "nothing new," but the paper crystalizes many of the major issues in PHP applications that we're seeing over and over again (thanks to the diligence of people like frog man ;-) The same thing applies to aleph1's buffer overflow paper, the Newsham/etc. study on format strings, and so on. But where is the "definitive" paper on directory traversal? Canonicalization? The general "malformed input" problem? A taxonomy of configuration errors? etc. There are still major gaps. Such papers can form the basic "literature" for this emerging field of vulnerability research. They take scattered knowledge, none of which is known to everyone, and collect it into a single source to form a basic but solid understanding of the problem. (As an example of scattered knowledge, I'm still wondering if anybody else thinks that the vulnerability in the obscure AlienForm2 product was a new type of canonicalization issue - though maybe *that's* "nothing new," but it's new to me). - Steve
Current thread:
- post to bugtraq about "session fixation" Alex Russell (Dec 18)
- <Possible follow-ups>
- Re: post to bugtraq about "session fixation" securityarchitect (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Alex Russell (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Panayiotis A. Thermos (Dec 18)
- Re: post to bugtraq about "session fixation" Steven M. Christey (Dec 19)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)
- Re: post to bugtraq about "session fixation" H D Moore (Dec 20)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)