Hiram,
Mason itself does not use cookies. It does use Storable, indirectly,
through the Cache::Cache library, but only for internal data, not for any
data that is sent to or read from the client. It does not have any special
handling for client input named cn, dn, or changetoken.
However, Mason is a framework which people build applications on top of. It
may well be that your application has the problem described, but that would
be in your application code, not in Mason.
If your code is accepting user input and feeding it to Storable, I agree
that wouldn't be a good thing, and you should probably change it.
- Perrin
On Wed, Mar 29, 2017 at 10:22 AM, Hiram Gibbard <[email protected]> wrote:
> Anyone have any feed back on what might be expected from me to address the
> fact that mason is using Perl storable objects?
>
> On Tue, Jan 31, 2017 at 11:05 AM, Hiram Gibbard <[email protected]>
> wrote:
>
>> Hi All, This may not be a Mason issue, but I have a security report
>> stating the following:
>>
>> "Your app no longer use any of the Perl Storable Object cookies (cn, dn,
>> changetoken) to keep state or perform authentication actions. However, the
>> underlying Perl Mason application framework will still process the data in
>> these cookies as Storable objects if they are included in user requests.
>> As a result, it is still possible to trigger exploitation."
>>
>> *Remediation: *Do not process any cookies in user requests as Perl
>> Storable objects.
>>
>>
>> Looking for any guidance, clarity, or theories on the statement (high
>> level of just where to look or what is it I might look for in the code).
>> This application was written a long time ago by someone else, and I'm just
>> trying to keep it running.
>>
>>
>> Thanks in advance,
>>
>>
>>
>> --
>> Hiram Gibbard
>> [email protected]
>> http://hiramgibbard.com
>>
>>
>
>
> --
> Hiram Gibbard
> [email protected]
> http://hiramgibbard.com
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Mason-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/mason-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
