Hosting Provided By

Re: post to bugtraq about "session fixation"

From: Steven M. Christey <coley(at)linus.mitre.org>
Date: Thu Dec 19 2002 - 17:37:55 EST

>This is nothing new (although a good write-up).

IMHO, we need more "good write-ups" on most vulnerability classes. Research doesn't have to be 100% original to be important. When Clowes/etc. released the Study in Scarlet paper, some PHP bugs were "nothing new," but the paper crystalizes many of the major issues in PHP applications that we're seeing over and over again (thanks to the diligence of people like frog man ;-) The same thing applies to aleph1's buffer overflow paper, the Newsham/etc. study on format strings, and so on. But where is the "definitive" paper on directory traversal? Canonicalization? The general "malformed input" problem? A taxonomy of configuration errors? etc. There are still major gaps.

Such papers can form the basic "literature" for this emerging field of vulnerability research. They take scattered knowledge, none of which is known to everyone, and collect it into a single source to form a basic but solid understanding of the problem. (As an example of scattered knowledge, I'm still wondering if anybody else thinks that the vulnerability in the obscure AlienForm2 product was a new type of canonicalization issue - though maybe *that's* "nothing new," but it's new to me).

Steve

Received on Thu Dec 19 17:43:46 2002

This message: [ Message body ]
Next message: Kevin Spett: "Re: encoder"
Previous message: N30: "encoder"
Maybe in reply to: Alex Russell: "post to bugtraq about "session fixation""
In reply to Panayiotis A. Thermos: "Re: post to bugtraq about "session fixation""
Next in thread: Cesar: "Re: post to bugtraq about "session fixation""
Reply: Cesar: "Re: post to bugtraq about "session fixation""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT