cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 13:11:15 GMT
Vadim Gritsenko wrote:
> Leszek Gawron wrote:
> 
>> Sylvain Wallez wrote:
>>
>>> Leszek Gawron wrote:
>>>
>>>> Sylvain Wallez wrote:
>>>>
>>>>> This has already been identified by Leszek Gawron. Although this is 
>>>>> an issue, it can only be exploited by hijacking a continuation ID 
>>>>> which, if done, also means the ability to hijack the session ID and 
>>>>> therefore the associated authorizations.
> 
> 
> Exactly.
> 
> 
>>>> 1. You login.
>>>> 2. Do stuff.
>>>> 3. Logout.
> 
> 
> Did you forgot to invalidate continuations? Your fault. (1)
invalidating every continuation by hand is asking for problems hard to find.
For web application which requires session it is very convenient to invalidate 
all continuations when continuation holder is unbound from session (session 
invalidated).

> I left some comments already in the bug report.
Thank you .. I have made a comment also. Please read it if you have time.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message