Re: [Framework-Team] HTTP parameter polution

[Ricardo Newbery]

On May 19, 2009, at 9:23 PM, Steve McMahon wrote:

The paper mentions Plone, but all they found is that Plone rejects the
bad input but Since this error generates
~100 lines in the log file, it may be used to obfuscate other
attacks. I found no serious vulnerability claim.



How odd.  Just did the test myself and it generates a 70 line  
traceback in the event log.  I fail to see how this could possibly  
obfuscate other attacks... unless you were completely clueless about  
tracebacks.  Steve is too kind.  This claim is just ridiculous.


Ric



___
Framework-Team mailing list
Framework-Team@lists.plone.org
http://lists.plone.org/mailman/listinfo/framework-team

Re: [Framework-Team] HTTP parameter polution

[Jon Stahl]

Andreas Jung wrote:

Hi there,

just read this article (in German) about a new attack pattern called
HTTP parameter polution and they mention Plone:

http://www.linux-community.de/Internal/Nachrichten/Webanwendungen-mit-HTTP-Parameter-Pollution-angreifen

Anyone heard of this?


  
http://seclists.org/bugtraq/2009/May/0165.html seems to be a good 
starting point.


:jon


___
Framework-Team mailing list
Framework-Team@lists.plone.org
http://lists.plone.org/mailman/listinfo/framework-team