On Fri, 15 Jun 2018 19:15:39 -0600
Warren Young <war...@etr-usa.com> wrote:

> On Jun 15, 2018, at 4:30 PM, David Precious <dav...@preshweb.co.uk>
> wrote:
> > 
> > - Validate session IDs read from client - GH #1172 - potential
> > security risk if the session provider in use passes the session ID
> > in a way where injection is possible.  
> 
> Is there a list of session providers known to do this?  I don’t
> expect it to be complete, but I suspect that, like me, most people
> will have no way to evaluate whether their session providers are
> vulnerable.

OTTOMH, I believe it was Memcached-powered ones.

There was also a mention of Storable-powered sessions, because loading
Storable data from untrusted sources can be dangerous - but the
Storable data loaded is the session file which was written by the
application, the session ID passed through should not reach Storable,
so I'm not entirely sure there, I'd like to have seen a PoC.

Cheers

Dave P
--
_______________________________________________
dancer-users mailing list
dancer-users@dancer.pm
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users

Reply via email to