[Secure-testing-commits] r9893 - data/CVE
Thijs Kinkhorst
thijs at debian.org
Mon Sep 29 07:29:05 UTC 2008
On Sun, September 28, 2008 23:52, Stefan Fritsch wrote:
> I don't think is accurate. The browser will happily send the session
> cookie unencrypted even if the target webserver gives e.g. a 302 or 404 on
> the corresponding http URL. If a proxy is used, the squirrelmail server
> doesn't even need to have port 80 open. All an attacker has to do is lure
> the victim to a page that has an http link to the squirrelmail server as
> an inline image and snoop the http request from the victim's browser.
Hmm, I didn't realise that that would also work. Still, because of the
behaviour change I'm not eager to push it in a DSA.
Thijs
More information about the Secure-testing-commits
mailing list