[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Netvolution referer header SQL injection vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Netvolution referer header SQL injection vulnerability
From: Dimitris Glynos <dimitris@xxxxxxxxx>
Date: Tue, 04 Oct 2011 02:30:08 +0300

On 10/03/2011 01:47 PM, Dimitris Glynos wrote:
> As header field values are normally not included in HTTP transaction
> logs, an attack based on this vulnerability may go unnoticed by web
> server administrators.

A correction:

Although most header fields are not normally included in HTTP
transaction logs, the referer one usually is. Hence the above
argument holds true only for web servers with minimal logging
setups (e.g. IIS 6.0 using IIS Log File Format).

Cheers,

Dimitris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Netvolution referer header SQL injection vulnerability
  - From: Dimitris Glynos

Prev by Date: Re: [Full-disclosure] Apache 2.2.17 exploit?
Next by Date: Re: [Full-disclosure] Vulnerability in multiple themes for Drupal
Previous by thread: [Full-disclosure] Netvolution referer header SQL injection vulnerability
Next by thread: [Full-disclosure] Apache 2.2.17 exploit?
Index(es):
- Date
- Thread