|
Full Disclosure
mailing list archives
Re: Netvolution referer header SQL injection vulnerability
From: Dimitris Glynos <dimitris () census gr>
Date: Tue, 04 Oct 2011 02:30:08 +0300
On 10/03/2011 01:47 PM, Dimitris Glynos wrote:
As header field values are normally not included in HTTP transaction
logs, an attack based on this vulnerability may go unnoticed by web
server administrators.
A correction:
Although most header fields are not normally included in HTTP
transaction logs, the referer one usually is. Hence the above
argument holds true only for web servers with minimal logging
setups (e.g. IIS 6.0 using IIS Log File Format).
Cheers,
Dimitris
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
