On Fri, 15 Jun 2018 19:15:39 -0600 Warren Young <war...@etr-usa.com> wrote:
> On Jun 15, 2018, at 4:30 PM, David Precious <dav...@preshweb.co.uk> > wrote: > > > > - Validate session IDs read from client - GH #1172 - potential > > security risk if the session provider in use passes the session ID > > in a way where injection is possible. > > Is there a list of session providers known to do this? I don’t > expect it to be complete, but I suspect that, like me, most people > will have no way to evaluate whether their session providers are > vulnerable. OTTOMH, I believe it was Memcached-powered ones. There was also a mention of Storable-powered sessions, because loading Storable data from untrusted sources can be dangerous - but the Storable data loaded is the session file which was written by the application, the session ID passed through should not reach Storable, so I'm not entirely sure there, I'd like to have seen a PoC. Cheers Dave P -- _______________________________________________ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users