lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <04Apr1.083632cest.118724@fd.hif.hu>
From: adam at hif.hu (Szilveszter Adam)
Subject: Security Hole in HTTP (RFC1945) - Browser-Spoofing

Ron Stiemer wrote:

> Hi List,
> 
> can anybody confirm this, or is it just an april's fool joke ?

Yes, I can confirm this. After all, I have been "on air" with such a 
spoofed browser authentication :-) string for years now, making website 
statistcs software cry and webmasters scratch their heads. (FWIW, they 
are probably talking about the User-Agent header) If my UA string is to 
be believed, I have already moved to a 256-bit OS just in case. And yes, 
this was used in the past to get access to websites like the moronic 
"only IE allowed here" that were popular a few years ago.

And yes, heise always puts out a joke article (at least one) on April 
1st along with c't. Sometimes it is rather hard to find it, because the 
contents look plausible enough at first sight and they even spoof 
literature listings for it :-) So watch out today.

Regards:
Sz.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ