[4958] in WWW Security List Archive
Re: The GET vulnerability
daemon@ATHENA.MIT.EDU (Peter DURANT)
Mon Mar 31 18:43:56 1997
Date: 31 Mar 97 06:42:04 EST
From: Peter DURANT <101511.3641@compuserve.com>
To: Rutgers <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Hi,
The following is another mail you have sent me, the
type of which I prefer not to receive any longer.
I would therefore be very grateful if you could delete
my name from your mailing lists.
Many thanks.
Peter
-------------Forwarded Message-----------------
From: Laurent Demailly, INTERNET:dl@hplyot.obspm.fr
To: Gary McGraw, INTERNET:GEM@RSTCORP.COM
CC: , INTERNET:WWW-SECURITY@NS2.RUTGERS.EDU
Date: 30-03-97 3:35
RE: Re: The GET vulnerability
Sender: owner-www-security@ns2.rutgers.edu
Received: from ns2.rutgers.edu (ns2.rutgers.edu [128.6.21.2]) by hil-img-4.compuserve.com (8.6.10/5.950515)
id UAA02287; Sat, 29 Mar 1997 20:21:36 -0500
Received: (from daemon@localhost) by ns2.rutgers.edu (8.8.5/8.6.12) id LAA06177 for www-security-outgoing; Sat, 29 Mar 1997 11:30:00 -0500 (EST)
Received: from hplyot.obspm.fr (no-warrant-no-ident@hplyot.obspm.fr [145.238.44.5]) by ns2.rutgers.edu (8.8.5/8.6.12) with SMTP id LAA06167 for <www-security@ns2.rutgers.edu>; Sat, 29 Mar 1997 11:29:55 -0500 (EST)
Received: by hplyot.obspm.fr
(1.36.108.10/16.2.5) id AA18749; Sat, 29 Mar 1997 17:29:50 +0100
Date: Sat, 29 Mar 1997 17:29:50 +0100
Message-Id: <9703291629.AA18749@hplyot.obspm.fr>
From: Laurent Demailly <dl@hplyot.obspm.fr>
To: Gary McGraw <gem@rstcorp.com>
Cc: www-security@ns2.rutgers.edu
Subject: Re: The GET vulnerability
In-Reply-To: <199703281616.LAA10095@rstcorp.com>
References: <199703281616.LAA10095@rstcorp.com>
Sender: owner-www-security@ns2.rutgers.edu
Precedence: bulk
Errors-To: owner-www-security@ns2.rutgers.edu
The risk is most probably so close to zero that this is a non issue
(for credit card, the issue is indeed rather for privacy when doing
searches... we have here an interesting collection of alta vista
searches referer that say much about people interest (as you might
expect: sex)).
Why it is not a problem for credit card: because all but prehistoric
(pre 1.0 netscape versions for instance...) browsers versions send
referer information only if you select a link on the page. and I doubt
any CC submital form/acknowledge would have a link to
external/dangerous site. (not counting that there is aslo probably
very little GET method used anymore for that kind of forms).
This does not mean CC use on the net is safe, but that particular
problem is not (imo) an issue.
Best regards
dl
--
Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Pobox email: dl@mail.dotcom.fr
