2006-07-15, 01:44 PM
The application we used for the previous audit was Acunetix Web Vulnerability Scanner. It acts as a HTTP spider for the URL you specify and attempts to locate vulnerable pages and actions.
For this update - the application couldn't detect it but more importantly, this isn't the kind of issue you think about - an IP address being able to be spoofed via HTTP headers. We were only notified after information had publicly been posted (an exploit script). It also appears (from the same site) IPB is vulnerable to the same issue with the same HTTP header being manipulated.
For this update - the application couldn't detect it but more importantly, this isn't the kind of issue you think about - an IP address being able to be spoofed via HTTP headers. We were only notified after information had publicly been posted (an exploit script). It also appears (from the same site) IPB is vulnerable to the same issue with the same HTTP header being manipulated.