[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Security Hole in HTTP (RFC1945) - Browser-Spoofing

To: LC <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Security Hole in HTTP (RFC1945) - Browser-Spoofing
From: Szilveszter Adam <adam@xxxxxx>
Date: Thu, 01 Apr 2004 08:36:24 +0200

Ron Stiemer wrote:

Hi List,

can anybody confirm this, or is it just an april's fool joke ?

Yes, I can confirm this. After all, I have been "on air" with such a spoofed browser authentication :-) string for years now, making website statistcs software cry and webmasters scratch their heads. (FWIW, they are probably talking about the User-Agent header) If my UA string is to be believed, I have already moved to a 256-bit OS just in case. And yes, this was used in the past to get access to websites like the moronic "only IE allowed here" that were popular a few years ago.

And yes, heise always puts out a joke article (at least one) on April 1st along with c't. Sometimes it is rather hard to find it, because the contents look plausible enough at first sight and they even spoof literature listings for it :-) So watch out today.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Security Hole in HTTP (RFC1945) - Browser-Spoofing
  - From: Ron Stiemer

Prev by Date: Re: [Full-Disclosure] Bugfinder Being Indicted As Criminal ("Counterfeiter") in France
Next by Date: [Full-Disclosure] April 1st is here (joy). Subject: FW:*ALERT* NEW BID 10025 (URGENCY 9.3): Cisco CatOS Password
Previous by thread: Re: AW: [Full-Disclosure] Security Hole in HTTP (RFC1945) -Browser-Spoofing
Next by thread: [Full-Disclosure] Open Source Vulnerability Database Opens for Public Access
Index(es):
- Date
- Thread