Dre (exor674) wrote in lj_dev,
Dre
exor674
lj_dev

Potential security issue with people adding a trailing '.' to your domain

If you have domain forwarding enabled, a user can take control of www.sitename.com. (note the trailing dot) and possibly get ahold of the users master cookie, as well as some other pretty vile things.

Adding $host =~ s/\.$//; on line 256 of cgi-bin/Apache/LiveJournal.pm should correct this issue.
Tags: *announce, security bug reports, server, server: domains
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 5 comments