OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
webappsec-help_at_securityfocus.com
Date: Mon Jul 22 2002 - 15:34:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi! This is the ezmlm program. I'm managing the
    webappsecsecurityfocus.com mailing list.

    I'm working for my owner, who can be reached
    at webappsec-ownersecurityfocus.com.

    Messages to you from the webappsec mailing list seem to
    have been bouncing. I've attached a copy of the first bounce
    message I received.

    If this message bounces too, I will send you a probe. If the probe bounces,
    I will remove your address from the webappsec mailing list,
    without further notice.

    I've kept a list of which messages from the webappsec mailing list have
    bounced from your address.

    Copies of these messages may be in the archive.

    To retrieve a set of messages 123-145 (a maximum of 100 per request),
    send an empty message to:
       <webappsec-get.123_145securityfocus.com>

    To receive a subject and author list for the last 100 or so messages,
    send an empty message to:
       <webappsec-indexsecurityfocus.com>

    Here are the message numbers:

       1527
       1525
       1526
       1524
       1528
       1530
       1531
       1532
       1533
       1534
       1535
       1537
       1538
       1539
       1540
       1541
       1542
       1543
       1544
       1545
       1546

    --- Enclosed is a copy of the bounce message I received.

    Return-Path: <>
    Received: (qmail 11860 invoked from network); 10 Jul 2002 23:00:53 -0000
    Received: from unknown (HELO securityfocus.com) (66.38.151.9)
      by lists.securityfocus.com with SMTP; 10 Jul 2002 23:00:53 -0000
    Received: (qmail 14809 invoked by alias); 10 Jul 2002 22:57:16 -0000
    Received: (qmail 14804 invoked from network); 10 Jul 2002 22:57:15 -0000

      by mail.securityfocus.com with SMTP; 10 Jul 2002 22:57:15 -0000

            id 0652817BFE; Wed, 10 Jul 2002 18:04:12 -0500 (CDT)
    Date: Wed, 10 Jul 2002 18:04:12 -0500 (CDT)

    Subject: Undelivered Mail Returned to Sender

    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;


    This is a MIME-encapsulated message.

    Content-Description: Notification
    Content-Type: text/plain

    I'm sorry to have to inform you that the message returned
    below could not be delivered to one or more destinations.

    For further assistance, please send mail to <postmaster>

    If you do so, please include this problem report. You can
    delete your own text from the message returned below.

                            The Postfix program

        /home/httpd/archives-mbox/current.mbox: error writing message: File too
        large

    Content-Description: Delivery error report
    Content-Type: message/delivery-status

    Arrival-Date: Wed, 10 Jul 2002 18:04:11 -0500 (CDT)

    Action: failed
    Status: 5.0.0
    Diagnostic-Code: X-Postfix; cannot append message to destination file
        /home/httpd/archives-mbox/current.mbox: error writing message: File too
        large

    Content-Description: Undelivered Message
    Content-Type: message/rfc822

    Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])


    Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
            by outgoing.securityfocus.com (Postfix) with QMQP
            id 1E043A3A41; Wed, 10 Jul 2002 16:41:58 -0600 (MDT)
    Mailing-List: contact webappsec-helpsecurityfocus.com; run by ezmlm
    Precedence: bulk
    List-Id: <webappsec.list-id.securityfocus.com>
    List-Post: <mailto:webappsecsecurityfocus.com>
    List-Help: <mailto:webappsec-helpsecurityfocus.com>
    List-Unsubscribe: <mailto:webappsec-unsubscribesecurityfocus.com>
    List-Subscribe: <mailto:webappsec-subscribesecurityfocus.com>
    Delivered-To: mailing list webappsecsecurityfocus.com
    Delivered-To: moderator for webappsecsecurityfocus.com
    Received: (qmail 29349 invoked from network); 10 Jul 2002 22:39:26 -0000
    Date: Wed, 10 Jul 2002 15:42:44 -0700
    Subject: Re: Best Practices for passing data via HTTP
    Reply-To: markcurphey.com
    From: "Mark Curphey" <mcurpheyonebox.com>
    To: "Kevin Spett" <kspettspidynamics.com>
    Cc: <markcurphey.com>, "Steven Fling" <SFLINGoppenheimerfunds.com>,
            <webappsecsecurityfocus.com>
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    MIME-Version: 1.0
    Message-Id: <20020710224244.GDRJ23887.mta10.onebox.comonebox.com>

    Page 28 of 93 talks about GET vs Post in forms based authentication.

    Pages 71 and 73 deals with HTML form manipulation issues and URL manipulation
    issues and discusses the problem.

    Page 80 talks about privacy considerations of communal browsers.

    The way I read it this wasn't about transport security (in transit).
    A group of people are updating the doc significantly and so I'll drop
    the a line to make sure the matter is discussed in detail and more prominant.

    ---- "Kevin Spett" <kspettspidynamics.com> wrote:
    > I do not see anything in the guide at all about best practices for
    > transport
    > security besides a section on SSL and TLS, which the poster is already
    > using.
    >
    >
    >
    > Kevin Spett
    > SPI Dynamics, Inc.
    > http://www.spidynamics.com/
    > ----- Original Message -----
    > From: "Mark Curphey" <mcurpheyonebox.com>
    > To: "Steven Fling" <SFLINGoppenheimerfunds.com>
    > Cc: <webappsecsecurityfocus.com>
    > Sent: Wednesday, July 10, 2002 3:43 PM
    > Subject: Re: Best Practices for passing data via HTTP
    >
    >
    > > You should find what you are looking for in the Common Attacks section
    > > of the OWASP Guide to Building Secure Web Apps....its under forms
    > field
    > > manipulation and URL manipulation in particular....
    > >
    > > Its at http://www.owasp.org
    > >
    > > ---- "Steven Fling" <SFLINGoppenheimerfunds.com> wrote:
    > > > Our application communicates across various application server
    > environments
    > > > via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass
    > data/parameters
    > > > back and forth. Naturally we use SSL to encrypt the request/response.
    > > >
    > > > I wanted to see if there were any Best Practices established to
    > transfer
    > > > data in this fashion. POST vs. GET method, querystring vs. hidden
    > > > form variable, etc.
    > > >
    > > > Any insight would be appreciated!
    > > >
    > > > ____________________________________
    > > > Steve Fling
    > > > Managing Architect - Web Development
    > > > OppenheimerFunds, Inc.
    > > > sflingoppenheimerfunds.com
    > > > Office: 303.768.3200
    > > > FAX: 303.768.1096
    > > > http://www.oppenheimerfunds.com
    > > > ____________________________________
    > > >
    > > >
    > > > This electronic mail transmission may contain confidential information
    > > > and is intended only for the person(s) named. Any use, copying
    > or
    > > > disclosure by any other person is strictly prohibited. If you
    > have
    > > > received this transmission in error, please notify the sender via
    > e-mail.
    > > >
    > > >
    > >
    >