On 10/03/2011 01:47 PM, Dimitris Glynos wrote: > As header field values are normally not included in HTTP transaction > logs, an attack based on this vulnerability may go unnoticed by web > server administrators.
A correction: Although most header fields are not normally included in HTTP transaction logs, the referer one usually is. Hence the above argument holds true only for web servers with minimal logging setups (e.g. IIS 6.0 using IIS Log File Format). Cheers, Dimitris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
