On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
> * With 'ProxyRequests off', we accept absolute urls like http://hostname/path
> for local requests, but we don't check that the hostname contained in it
> actually matches the Host header if there is one. The hostname from the URI
> is then used
On Monday 28 November 2011, Nick Kew wrote:
> On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
> > Hi,
> >
> > while browsing a bit through Michael Zalewski's new Tangled Web
> > book, I was reminded again that we are very forgiving about what
> > we accept as a request. Is this really a good idea
On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
> Hi,
>
> while browsing a bit through Michael Zalewski's new Tangled Web book,
> I was reminded again that we are very forgiving about what we accept
> as a request. Is this really a good idea in the time of lots of web
> security issues?
Soun
Hi,
while browsing a bit through Michael Zalewski's new Tangled Web book,
I was reminded again that we are very forgiving about what we accept
as a request. Is this really a good idea in the time of lots of web
security issues?
Examples include:
* in the request line, the protocol may be arbi