Re: Issues regarding ruby-rack/CVE-2019-16782
Ola Lundqvist <ola@inguza.com> writes:
> So regarding your throught about why Rack has this and not others. Well I
> think all have the same issue. I think it is a little of a stretch that
> this can be used in practice. I mean an attacker must do a broad search of
> all possible session identifiers to make use of this. Or have I
> misunderstood something?
I suspect you are mostly correct.
However how many people would really notice if an attacker made numerous
connections to their website in attempt to exploit this?
--
Brian May <bam@debian.org>
Reply to: