[Koha-devel] Re: XSS Vulnerabilities in Koha

koha-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Koha-devel] Re: XSS Vulnerabilities in Koha

From:	Rick Welykochy
Subject:	[Koha-devel] Re: XSS Vulnerabilities in Koha
Date:	Thu, 30 Aug 2007 22:27:21 +1000
User-agent:	Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4

Chris Cormack wrote:

Yep you might be able to do that, but all you would get is an md5string, we have just rewritten the authentication module usingCGI::Session for 3.0.And it wouldn't be any use to you, unless you were also spoofing the ipof the of machine that created that particular session.
Nothing of interest is stored in the cookie anymore.


Sounds great.

And an amazing coincidence, if I read you correctly: just yesterday I was
thinking about tamper-proof and secure cookies, and came up with a similar
idea, i.e. encode the IP address of the client somewhere in a secured
digest of the information you want.

cheers
rickw



--
_________________________________
Rick Welykochy || Praxis Services

I didn't have time to write a short letter, so I wrote a long one instead.
     -- Mark Twain

[Prev in Thread]

Current Thread

[Next in Thread]

[Koha-devel] Re: XSS Vulnerabilities in Koha, Rick Welykochy, 2007/08/30
- [Koha-devel] Re: XSS Vulnerabilities in Koha, Chris Cormack, 2007/08/30
  - [Koha-devel] Re: XSS Vulnerabilities in Koha, Rick Welykochy <=
  - Re: [Koha-devel] Re: XSS Vulnerabilities in Koha, MJ Ray, 2007/08/31
    - Re: [Koha-devel] Re: XSS Vulnerabilities in Koha, Chris Cormack, 2007/08/31

Prev by Date: [Koha-devel] Re: XSS Vulnerabilities in Koha
Next by Date: Re: [Koha-devel] dummy function for gettext [IMPORTANT]
Previous by thread: [Koha-devel] Re: XSS Vulnerabilities in Koha
Next by thread: Re: [Koha-devel] Re: XSS Vulnerabilities in Koha
Index(es):
- Date
- Thread