-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Weimer wrote: > The whitepaper you referenced describes a vulnerability in web > proxies. The sqwebmail vulnerability could be used to exploit it, but > then you could also direct the victim to a completely rogue web server > under your control.
The whitepapers' scope is not limited to web proxies. Please take a closer look at the paragraph entitled > Introduction to HTTP Response Splitting which starts on page 6 of the paper. The redirection script given in this example is vulnerable in the same way as sqwebmail. It allows for injection of carriage returns and newlines in the same way which results in the ability to partially modify the HTTP response header and body. Regards, Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEb08Xn6GkvSd/BgwRAmRmAJ0f/fi4Nq2B9tH/XrKoRpkj+uctyACeKqMP he18Isq7H/uopB85N/nisEM= =pnmW -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
