WebApp Sec mailing list archives
Re: post to bugtraq about "session fixation"
From: Cesar <cesarc56 () yahoo com>
Date: Fri, 20 Dec 2002 08:00:19 -0800 (PST)
You are right. It is an interesting and well written paper. But there is a wrong statement in paper, Microsoft Internet Information Server is NOT "Strict", is a kind of "Permissive" it will accept some proposed cookie SessionID and i will create a new session. Cesar. --- "Steven M. Christey" <coley () linus mitre org> wrote:
securityarchitect () hush com said:This is nothing new (although a good write-up).IMHO, we need more "good write-ups" on most vulnerability classes. Research doesn't have to be 100% original to be important. When Clowes/etc. released the Study in Scarlet paper, some PHP bugs were "nothing new," but the paper crystalizes many of the major issues in PHP applications that we're seeing over and over again (thanks to the diligence of people like frog man ;-) The same thing applies to aleph1's buffer overflow paper, the Newsham/etc. study on format strings, and so on. But where is the "definitive" paper on directory traversal? Canonicalization? The general "malformed input" problem? A taxonomy of configuration errors? etc. There are still major gaps. Such papers can form the basic "literature" for this emerging field of vulnerability research. They take scattered knowledge, none of which is known to everyone, and collect it into a single source to form a basic but solid understanding of the problem. (As an example of scattered knowledge, I'm still wondering if anybody else thinks that the vulnerability in the obscure AlienForm2 product was a new type of canonicalization issue - though maybe *that's* "nothing new," but it's new to me). - Steve
__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- post to bugtraq about "session fixation" Alex Russell (Dec 18)
- <Possible follow-ups>
- Re: post to bugtraq about "session fixation" securityarchitect (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Alex Russell (Dec 18)
- Re: post to bugtraq about "session fixation" Kevin Spett (Dec 18)
- Re: post to bugtraq about "session fixation" Panayiotis A. Thermos (Dec 18)
- Re: post to bugtraq about "session fixation" Steven M. Christey (Dec 19)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)
- Re: post to bugtraq about "session fixation" H D Moore (Dec 20)
- Re: post to bugtraq about "session fixation" Cesar (Dec 20)