[Secure-testing-commits] r9893 - data/CVE
Stefan Fritsch
sf at sfritsch.de
Sun Sep 28 21:52:02 UTC 2008
On Sunday 28 September 2008, thijs at alioth.debian.org wrote:
> + [etch] - squirrelmail <no-dsa> (less important and fix changes
> behaviour) + NOTE: only relevant for installations that are also
> offered over http + NOTE: which isn't normally a good idea anyway.
> Fixing in stable will + NOTE: change behaviour so not really suited
> for DSA.
I don't think is accurate. The browser will happily send the session
cookie unencrypted even if the target webserver gives e.g. a 302 or
404 on the corresponding http URL. If a proxy is used, the
squirrelmail server doesn't even need to have port 80 open. All an
attacker has to do is lure the victim to a page that has an http link
to the squirrelmail server as an inline image and snoop the http
request from the victim's browser.
More information about the Secure-testing-commits
mailing list