[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Koha-devel] Re: XSS Vulnerabilities in Koha
From: |
Rick Welykochy |
Subject: |
[Koha-devel] Re: XSS Vulnerabilities in Koha |
Date: |
Thu, 30 Aug 2007 22:27:21 +1000 |
User-agent: |
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 |
Chris Cormack wrote:
Yep you might be able to do that, but all you would get is an md5
string, we have just rewritten the authentication module using
CGI::Session for 3.0.
And it wouldn't be any use to you, unless you were also spoofing the ip
of the of machine that created that particular session.
Nothing of interest is stored in the cookie anymore.
Sounds great.
And an amazing coincidence, if I read you correctly: just yesterday I was
thinking about tamper-proof and secure cookies, and came up with a similar
idea, i.e. encode the IP address of the client somewhere in a secured
digest of the information you want.
cheers
rickw
--
_________________________________
Rick Welykochy || Praxis Services
I didn't have time to write a short letter, so I wrote a long one instead.
-- Mark Twain