lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Aug  7 21:42:02 2005
From: mailinglists at vanscherpenseel.nl (Vincent van Scherpenseel)
Subject: Referers Are Evil

On Sunday 07 August 2005 20:27, Bipin Gautam wrote:

> BUT, i remember testing it on PHPBB back then, i don't think you can
> take over the session on that! (i may be wrong). YAP, but there are
> LOTS of sites & applications out there from which you can easily steal
> away sessions.

Well, if the client's IP address used for a given session is stored in a 
session variable  it's not possible to steal an active session from another 
IP address. That's probably their way of working around this problem.

 - Vincent van Scherpenseel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ