On 2016-06-21, Steven D'Aprano wrote:
> "In our case, if we could fool an internal Python application into fetching
> a URL for us, then we could easily access memcached instances. Consider the
> URL: ..."
>
> and then they demonstrate an attack against memcache. Except, the author of
> the articl
On Sun, 19 Jun 2016 03:28 am, Random832 wrote:
> On Sat, Jun 18, 2016, at 12:02, Steven D'Aprano wrote:
>> Er, you may have missed that I'm talking about a single user setup.
>> Are you suggesting that I can't trust myself not to forge a request
>> that goes to a hostile site?
>>
>> It's all well
Steven D'Aprano writes:
>> The issue ... is cross-site request forgery.
> Er, you may have missed that I'm talking about a single user setup. Are you
> suggesting that I can't trust myself not to forge a request that goes to a
> hostile site?
I think the idea is you visit some website with malici
On Sat, Jun 18, 2016, at 12:02, Steven D'Aprano wrote:
> Er, you may have missed that I'm talking about a single user setup.
> Are you suggesting that I can't trust myself not to forge a request
> that goes to a hostile site?
>
> It's all well and good to say that the application is vulnerable to
>
On Sun, 19 Jun 2016 02:02:43 +1000, Steven D'Aprano wrote:
> On Sat, 18 Jun 2016 01:52 pm, Random832 wrote:
>
>> On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote:
>>> The author doesn't go into details of what sort of attacks against
>>> localhost they're talking about. An unauthenticated se
On Sat, 18 Jun 2016 01:52 pm, Random832 wrote:
> On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote:
>> The author doesn't go into details of what sort of attacks against
>> localhost they're talking about. An unauthenticated service running on
>> localhost implies, to me, a single-user setup,
Steven D'Aprano :
> "Even an unauthenticated service listening on localhost is risky these
> days."
>
> but fall short of *explicitly* recommending that they should be
> authenticated. Although they do *implicitly* do so, by saying that "it
> wouldn't be hard" for such services to include a passwo
On Fri, Jun 17, 2016, at 21:00, Steven D'Aprano wrote:
> The author doesn't go into details of what sort of attacks against
> localhost they're talking about. An unauthenticated service running on
> localhost implies, to me, a single-user setup, where presumably the
> single-user has admin access t
On Sat, 18 Jun 2016 04:49 am, Paul Rubin wrote:
> The blog post below is from a couple days ago:
>
>
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
> The blog post criticizes Redis and Memcached for not using any
> authentication (since "safe" internal networks
The blog post below is from a couple days ago:
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
It reports that it's possible to inject fake http headers into requests
sent by urllib2(python2) and urllib(python3), by getting the library to
retrieve a url concocted
10 matches
Mail list logo
