The authorization cookie has neither the secure flag or http flag set.
i.e. If you could get the client to redirect to http://paste.sh it would send the full auth cookie in the (now unencrypted) headers. (Man-in-the-middle can then use the cookie.)
Edit: For anyone checking, the cookie is only set upon the first edit.
i.e. If you could get the client to redirect to http://paste.sh it would send the full auth cookie in the (now unencrypted) headers. (Man-in-the-middle can then use the cookie.)
Edit: For anyone checking, the cookie is only set upon the first edit.