[Framework-Team] HTTP parameter polution

Ricardo Newbery ric at digitalmarbles.com
Wed May 20 06:40:05 UTC 2009


On May 19, 2009, at 9:23 PM, Steve McMahon wrote:
> The paper mentions Plone, but all they found is that Plone rejects the
> bad input but "Since this error generates
> ~100 lines in the log file, it may be used to obfuscate other
> attacks." I found no serious vulnerability claim.


How odd.  Just did the test myself and it generates a 70 line  
traceback in the event log.  I fail to see how this could possibly  
"obfuscate other attacks"... unless you were completely clueless about  
tracebacks.  Steve is too kind.  This claim is just ridiculous.

Ric






More information about the Framework-Team mailing list