Skip navigation.

taviso

linux, programming and security

January 2008

( Monthly archive )

ITDefense 2008 Next Week

Sunday, 20. January 2008, 20:42:27

I'm giving a talk at the it-defense security conference in Hamburg next week with a colleague from Google. We're going to be talking about some interesting an often-overlooked sources of vulnerabilities. If anyone else is going to be there let me know :-)

http://www.it-defense.de/itdefense2008_com/pages/program.html

2 comments

Common DNS Misconfiguration can lead to "same-site" Scripting

Sunday, 20. January 2008, 20:37:53

, ,

For anyone interested in web application security, I posted a writeup of an interesting cross site scripting variant to bugtraq over the weekend. The problem is due to dns administrators commonly installing unqualified localhost records.

This might sound harmless at first, but in fact makes it impossible to access affected sites securely via http (assuming they make use of cookies) from multi-user systems. Under certain circumstances it can be exploited even from single-user systems.

The full post is available here.

$ host localhost.opera.com
localhost.opera.com has address 127.0.0.1

Damn, and the machine I'm posting this from is indeed multi-user :-)

3 comments

January 2008
S M T W T F S
December 2007February 2008
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31