-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
Mark Thomas wrote: | This attack requires luring a user who is already logged in to a webapp | running on a vulnerable Tomcat server to a malicious site. With a | suitably crafted URL, the attacker is able to steal the authentication | cookie for the user who was lured to the malicious site. It is the user | that is lured who is the 'current user'. Maybe I'm not reading the OP's reference correctly (http://securitytracker.com/alerts/2007/Aug/1018557.html) but it looks like the URL provided (in the "exploit") doesn't demonstrate what you describe. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhO8x0ACgkQ9CaO5/Lv0PDMcgCeL/A1AIC/uFGlFonqsLeg9Vq2 RbUAn2qNiHgkzEpTFePBhTD0JxcpuX0y =cpn1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
