On 10.11.2009 05:36, Costin Manolache wrote: > The request will not be executed - how can he continue the attack ?
I don't get that as well. As far as I understand the attack, there is no information disclosure. The only thing an attacker can do is mixing his request with a user supplied one, thereby leveraging user credentials to execute his own request. Neither can he see the user request, not the response. The user client will do a renegaotiation and only provide his request inside the newly negotiated encryption, which is not transparent for the MITM. the server buffers the partial attacker request send directly before initiating the renegotiation and if it is an incomplete request, it will buffered at the server, combined with what the user is sending after renegotiation and executed in the security context of the user. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
