Re: post to bugtraq about "session fixation"

[Cesar <cesarc56 () yahoo com>]

You are right. It is an interesting and well written
paper.
But there is a wrong statement in paper, Microsoft
Internet Information Server is NOT "Strict", is a kind
of "Permissive" it will accept some proposed cookie
SessionID and i will create a new session.


Cesar.


--- "Steven M. Christey" <coley () linus mitre org>
wrote:
> securityarchitect () hush com said:
>
> > This is nothing new (although a good write-up).
>
> IMHO, we need more "good write-ups" on most
> vulnerability classes.
> Research doesn't have to be 100% original to be
> important.  When
> Clowes/etc. released the Study in Scarlet paper,
> some PHP bugs were
> "nothing new," but the paper crystalizes many of the
> major issues in
> PHP applications that we're seeing over and over
> again (thanks to the
> diligence of people like frog man ;-) The same thing
> applies to
> aleph1's buffer overflow paper, the Newsham/etc.
> study on format
> strings, and so on.  But where is the "definitive"
> paper on directory
> traversal?  Canonicalization?  The general
> "malformed input" problem?
> A taxonomy of configuration errors? etc.  There are
> still major gaps.
>
> Such papers can form the basic "literature" for this
> emerging field of
> vulnerability research.  They take scattered
> knowledge, none of which
> is known to everyone, and collect it into a single
> source to form a
> basic but solid understanding of the problem.  (As
> an example of
> scattered knowledge, I'm still wondering if anybody
> else thinks that
> the vulnerability in the obscure AlienForm2 product
> was a new type of
> canonicalization issue - though maybe *that's*
> "nothing new," but it's
> new to me).
>
> - Steve


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com