[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Referers Are Evil
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Referers Are Evil
- From: Nicolas Rachinsky <fd-0@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 7 Aug 2005 22:54:55 +0200
* Vincent van Scherpenseel <mailinglists@xxxxxxxxxxxxxxxxxx> [2005-08-07 22:41
+0200]:
> On Sunday 07 August 2005 20:27, Bipin Gautam wrote:
>
> > BUT, i remember testing it on PHPBB back then, i don't think you can
> > take over the session on that! (i may be wrong). YAP, but there are
> > LOTS of sites & applications out there from which you can easily steal
> > away sessions.
>
> Well, if the client's IP address used for a given session is stored in a
> session variable it's not possible to steal an active session from another
> IP address. That's probably their way of working around this problem.
What if the attacker is behind the same proxy?
Nicolas
--
http://www.rachinsky.de/nicolas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/