On Fri, 27 Aug 1999, Paul Leach (Exchange) wrote:
The server gets to say, in the WWW-Authenticate challenge header field, for
which "realm" it wants credentials (name+password). If both www.company.com
and www.company.com:81 send the same realm, then the same password will
continue to work.
Unfortunately, many documents suggest doing this work as root. See
http://www.redhat.com/mirrors/LDP/HOWTO/Kernel-HOWTO-3.html#ss3.2
Some re-education may be in order. :-(
-Peter
cc: Brian Ward, the Kernel-HOWTO maintainer
At 10:06pm Oct 25, 1999, Alessandro Rubini wrote:
There is a
At 1:14am Nov 13, 1999, D. J. Bernstein wrote:
A sniffing attacker can easily forge responses to your DNS requests. He
can steal your outgoing mail, for example, and intercept your ``secure''
web transactions. This is obviously a problem.
If by secure web transactions, you mean https,
Please note that such wrappers should produce normal HTML pages with
hyperlinks and HTTP-EQUIV "client pull" tags. If the wrapper simply uses a
Location: redirect, many clients will send the URL of the original page,
not the URL of the intermediate wrapper (verified in Netscape 4.7 and MSIE
4.0).
,
then $TMPDIR (maybe), then a fatal complaint.
-Peter
At 11:50pm Jan 24, 2000, Peter W wrote:
At 8:48am Jan 24, 2000, harikiri wrote:
w00w00 Security Advisory - http://www.w00w00.org/
Title: VMware 1.1.2 Symlink Vulnerability
Platforms: Linux Distributions with VMware 1.1.2
At 10:31am Feb 23, 2000, -Eiji Ohki- wrote:
I could find out the denial of service effected to iPlanet
Web Server, Enterprise Edition 4.1 on Linux 2.2.5(Redhat6.1J;
Kernel 2.2.12).
http://www.iplanet.com/downloads/download/detail_161_284.html
"Version Description: Please note this is a
At 11:44pm Mar 15, 2000, Pavel Machek wrote:
/proc/pid allows strange tricks (2.3.49):
pavel@bug:~/misc$ ps aux | grep grep
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
... interesting bits about
At 5:48pm Mar 22, 2000, Vanja Hrustic wrote:
amonotod wrote:
Netscape ENT 3.6 SP3 -or maybe it's SP2- on NT4.0 SP4, vulnerable, even though
WebPublishing has never (not even just to try it out) been enabled.
Same here. If directory browsing is enabled, wp-cs-dump gives a listing.
- ACLs
On Mon, Jan 22, 2001 at 01:30:33PM +0100, Peter Grndl wrote:
Defcom Labs Advisory def-2001-05
Oooh, how fancy! ;-)
--=[Detailed Description]=
The Fasttrack 4.1 server caches requests for non-existing URLs with
valid extensions
On Mon, Jan 22, 2001 at 05:28:50PM -0800, Ryan Russell wrote:
Due to some mail trouble, I'm manually forwarding this note.
From: Microsoft Security Response Center
Subject:Re: BugTraq: EFS Win 2000 flaw
"... it is recommended that it is always better to start by
Regarding Peter Guendl's discovery of DoS attacks against iWS 4.1:
1) Peter G. reports that disabling the cache with cache-init is not
an effective workaround for the FastTrack problem.
2) I wrote that iWS 4.1 has "at least one huge hole (remote code execution
via SSL/TLS implementation
On Sun, Feb 11, 2001 at 05:15:53PM -0300, Paulo Cesar Breim wrote:
The software Tiny Sheet, present in all versions of Palm Pilot,
http://www.iambic.com/pilot/tinysheet3/
To clarify: it's not included with PalmOS; it's 3rd-party software.
has a function called IMPORT file.
Well when this
I can't believe how much has been written about an issue
that's apparently fixed with a few lines of code.
More patches, less pedantic finger pointing. Bottom line
is the app does not, cannot enforce length constraints on
usernames, so it needs to do proper bounds checking.
-Peter
On Sat, Feb 17, 2001 at 04:57:23PM +0100, JeT Li wrote:
One way to fix the problem is to create a directory inside your
home directory which is inaccessible to anyone but yourself (permissions 700),
called tmp. Then insert an entry in your login start-up file to set the $TMP
On Sun, Mar 11, 2001 at 10:36:32PM +0100, Palmans Pepijn wrote:
The problem is in the sub check_url:
It sets $check_referer = 1 if there is no $ENV{'HTTP_REFERER'}
Under normal conditions your server will always be able to get the HTTP_REFERER.
Not true. Many firewalls block Referer headers,
On Fri, May 18, 2001 at 04:35:08PM -0400, Greg A. Woods wrote:
[ On Friday, May 18, 2001 at 11:18:51 (-0400), Wietse Venema wrote: ]
3 - User-specified shell commands. Traditionally, a user can specify
any shell command in ~user/.forward, and that command will execute
with the privileges
On Mon, Jun 04, 2001 at 03:17:04PM -0700, [EMAIL PROTECTED] wrote:
On Mon, Jun 04, 2001 at 11:19:37AM -0400, David F. Skoll wrote:
I could not duplicate this with OpenSSH 2.9p1-1 on Red Hat 6.2
The problem code is invoked in the X forwarding of ssh. If you try
again, this time passing -X as
On Tue, Jun 05, 2001 at 12:59:03PM -0700, Dan Kaminsky wrote:
An immediate design fix would be to use a different coloring and fontfacing
scheme to refer to full names, rather than quoted email addresses from the
address book. This should self-document decently, since over the course of
On Fri, Jun 08, 2001 at 04:51:57AM +0100, Glynn Clements wrote:
Eric Hacker wrote:
Conveniently, UTF8 uses the same
values as ASCII for ASCII representation. Above the standard ASCII 127
character representation, UTF8 uses multi-byte strings beginning with 0xC1.
No; the sequences for
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
password is
On Fri, Jun 15, 2001 at 02:09:57AM -0400, Chris Lambert wrote:
Yes, you're correct that its the target of the exploit which needs to be
protected. However, the reason we originally related it to message boards
was because the source and the target were tightly related.
Yes, of course. It's a
On Thu, Jun 14, 2001 at 09:12:05PM -0400, Chris Lambert wrote:
would it be safe to check
that if a referer is present, it contains the sites' domain name,
Yes.
but if it
isn't, it most likely wouldn't have been referenced in an img tag or
submitted via JavaScript?
You mean it's
Regarding IMG tags in HTML email, here is a good point I received off-list.
The sender did not wish to post directly, but approved forwarding this note.
-Peter
- Forwarded message (anonymous, forwarded with permission) -
Date: Sat, 16 Jun 2001 22:55:41 +0200
To: Peter W [EMAIL
On Tue, Jun 19, 2001 at 03:44:10PM +0200, Henrik Nordstrom wrote:
[EMAIL PROTECTED] wrote:
Folks are missing the point on the Referer check that I suggested.
I intentionally selected to not go down that path in my message as there
are quite a bit of pitfalls with Referer, and it can
24 matches
Mail list logo