[37936] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Security Advisory for ALL forum services with client-set images

daemon@ATHENA.MIT.EDU (Stefan Paletta)
Thu Dec 23 15:33:05 2004

Date: Thu, 23 Dec 2004 09:50:40 +0100
To: bugtraq@securityfocus.com
Message-ID: <20041223085040.GO3332@delusion.wronline.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20041222100344.12092.qmail@www.securityfocus.com>
From: Stefan Paletta <stefanp@cabal1.com>
Mail-Followup-To: bugtraq@securityfocus.com
Reply-To: Stefan Paletta <stefanp-exp-1104396643.9142e1@cabal1.com>

James Bandara wrote/schrieb/scripsit:
>To block this I suggest you edit your service to only accept links that 
>end in image formats for images before the querystring.

That doesn't really help ─ the attacker can send a HTTP redirect from an 
innocent-looking URL.

-Stefan
-- 
 junior guru   SP666-RIPE     JID:stefanp@jabber.de.cw.net    SMP@IRC


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[37936] in bugtraq

Re: Security Advisory for ALL forum services with client-set images

daemon@ATHENA.MIT.EDU (Stefan Paletta)Thu Dec 23 15:33:05 2004

daemon@ATHENA.MIT.EDU (Stefan Paletta)
Thu Dec 23 15:33:05 2004