[Full-disclosure] Netvolution referer header SQL injection vulnerability
Dimitris Glynos
dimitris at census.gr
Tue Oct 4 00:30:08 BST 2011
On 10/03/2011 01:47 PM, Dimitris Glynos wrote:
> As header field values are normally not included in HTTP transaction
> logs, an attack based on this vulnerability may go unnoticed by web
> server administrators.
A correction:
Although most header fields are not normally included in HTTP
transaction logs, the referer one usually is. Hence the above
argument holds true only for web servers with minimal logging
setups (e.g. IIS 6.0 using IIS Log File Format).
Cheers,
Dimitris
Full-Disclosure is hosted and sponsored by Secunia.