On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell <ber...@fantasyfarm.com> wrote:
> As I understand it, this is only really a vulnerability in situations > where a command to do something *precedes* the authentication to enable > the command. The obvious place where this happens, of course, is with > HTTPS where the command [GET or POST] comes first and the authentication > [be it a cookie or form vbls] comes later. This last part is not really accurate - piggybacking the evil command onto authentication that is later presented is certainly one possible attack, but there are others, such as the Twitter POST attack and the SMTP attack outlined by Wietse Venema (which doesn't work because of implementation details, but _could_ work with a different implementation). --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com