[Koha-devel] Re: XSS Vulnerabilities in Koha
Rick Welykochy
rick at praxis.com.au
Thu Aug 30 14:27:21 CEST 2007
Chris Cormack wrote:
> Yep you might be able to do that, but all you would get is an md5
> string, we have just rewritten the authentication module using
> CGI::Session for 3.0.
> And it wouldn't be any use to you, unless you were also spoofing the ip
> of the of machine that created that particular session.
> Nothing of interest is stored in the cookie anymore.
Sounds great.
And an amazing coincidence, if I read you correctly: just yesterday I was
thinking about tamper-proof and secure cookies, and came up with a similar
idea, i.e. encode the IP address of the client somewhere in a secured
digest of the information you want.
cheers
rickw
--
_________________________________
Rick Welykochy || Praxis Services
I didn't have time to write a short letter, so I wrote a long one instead.
-- Mark Twain
More information about the Koha-devel
mailing list