- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 15 Mar 2013 13:50:48 +0100
- To: "Adrien W. de Croy" <adrien@qbik.com>
- Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org>
* Adrien W. de Croy wrote: >we have recently had issues with a site where the server sends chunked >responses back but closes the TCP connection prior to sending any 0 >chunk (in fact we never see a packet with this). >Is this actually a security issue, or should we be more tolerant? The >customer of course just wants to be able to go to the page, and chances >of getting it fixed seem slim. Is this also a known bug in IIS6.0? If a network attacker can cause this to happen this can change how the content is interpreted; for instance, `"a b"` and `"a b` without the closing quote can be interpreted very differently in many formats and protocols, so this might, for instance, open up XSS vulnerabilities. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 15 March 2013 12:51:19 UTC