"Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> tapota :
>
> cryp method uses "single line" encryption , there is no key to encrypt .
> md5 hashes a string when given to the function ( md5($string) ) .
> i refer to a book: Ed. Ra-Ma Cryptography for Data Protection :
> ( spanish book ):
> md5 is used to give hash from a plain string , md5 has the possibility of
> include a salt based on another string
> that must be an epochtime salt ( epochtime ouput or similar ) and a random
> num,ber salt.
>
> It is simple, md5 hashes the $pre_hash and $truluxalt.
> the salt is only for provide more entropy to the generated hash.
> and i made this because this "little" porblem:
> /account/login.php t line 91 we have a funny function that we can use to
> delete other users session hashes.
> this is the buggy code:
>
> -SNIP-
> if ($session_hash)
> {
> #nuke their old session
> session_cookie('session_hash','');
> db_query("DELETE FROM session WHERE session_hash='$session_hash'");
> }
> -SNIP-
>
> understanding the "nuke their sesion" :)
> just send a request or write a script to send requests with random session
> hashes or
> simply use * wildcard , or try to inject SQL queries.
> we can set session_hash to anything we want .
> ----
> I think Mathiu removed that function but there was in.
I did. I need the trunk to be working. Unless there is a need to
change this kind of function due to a bug, they should not really
change on the trunk, especially not before a release.
>> Also, your addition of frontend/php/security/security-lib.php (I'm
>> talking about the XOR encoding function, here) seems to be aiming more
>> toward security through obscurity than... well any other purpose.
>
> XOR is easily decoded , just use perl to do it.
I am not sure to understand how it was planned to be used, for what
purpose.
>> By using this function you are not only A) telling all search engines
>> you do not want their business and B) telling visitors without
>> javascript-enabled browsers you do not want their business either.
>>
>> You are also making any page that Savane generates non-HTML compliant
>> for the purpose of "security."
>
> Not all the pages will be encoded.
> Security library just adds functions that can be used by including the whole
> file and then calling the wanted function.
But what do you want to encode, why?
> PS: think again in adding a salt to session_hash generation.if you want
> tell me for do it.
There is no problem to do it, but get something working on your test
install, and then commit it to a branch, for instance the branch for
register_globals (same scope), so we keep the trunk working.
Regards,
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english |
+---------------------------------------------------------------------+
