lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Aug  7 21:55:04 2005
From: fd-0 at ml.turing-complete.org (Nicolas Rachinsky)
Subject: Referers Are Evil

* Vincent van Scherpenseel <mailinglists@...scherpenseel.nl> [2005-08-07 22:41 +0200]:
> On Sunday 07 August 2005 20:27, Bipin Gautam wrote:
> 
> > BUT, i remember testing it on PHPBB back then, i don't think you can
> > take over the session on that! (i may be wrong). YAP, but there are
> > LOTS of sites & applications out there from which you can easily steal
> > away sessions.
> 
> Well, if the client's IP address used for a given session is stored in a 
> session variable  it's not possible to steal an active session from another 
> IP address. That's probably their way of working around this problem.

What if the attacker is behind the same proxy?

Nicolas

-- 
http://www.rachinsky.de/nicolas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ