Hi,
> "Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> tapota :
>
>
> >
> > cryp method uses "single line" encryption , there is no key to encrypt .
> > md5 hashes a string when given to the function ( md5($string) ) .
> > i refer to a book: Ed. Ra-Ma Cryptography for Data Protection :
> > ( spanish book ):
> > md5 is used to give hash from a plain string , md5 has the possibility
of
> > include a salt based on another string
> > that must be an epochtime salt ( epochtime ouput or similar ) and a
random
> > num,ber salt.
> >
> > It is simple, md5 hashes the $pre_hash and $truluxalt.
> > the salt is only for provide more entropy to the generated hash.
> > and i made this because this "little" porblem:
> > /account/login.php t line 91 we have a funny function that we can use to
> > delete other users session hashes.
> > this is the buggy code:
> >
> > -SNIP-
> > if ($session_hash)
> > {
> > #nuke their old session
> > session_cookie('session_hash','');
> > db_query("DELETE FROM session WHERE session_hash='$session_hash'");
> > }
> > -SNIP-
> >
> > understanding the "nuke their sesion" :)
> > just send a request or write a script to send requests with random
session
> > hashes or
> > simply use * wildcard , or try to inject SQL queries.
> > we can set session_hash to anything we want .
> > ----
> > I think Mathiu removed that function but there was in.
>
> I did. I need the trunk to be working. Unless there is a need to
> change this kind of function due to a bug, they should not really
> change on the trunk, especially not before a release.
>
>
> >> Also, your addition of frontend/php/security/security-lib.php (I'm
> >> talking about the XOR encoding function, here) seems to be aiming more
> >> toward security through obscurity than... well any other purpose.
> >
> > XOR is easily decoded , just use perl to do it.
>
> I am not sure to understand how it was planned to be used, for what
> purpose.
For provide source code obscurity to some webpages.
> >> By using this function you are not only A) telling all search engines
> >> you do not want their business and B) telling visitors without
> >> javascript-enabled browsers you do not want their business either.
> >>
> >> You are also making any page that Savane generates non-HTML compliant
> >> for the purpose of "security."
> >
> > Not all the pages will be encoded.
> > Security library just adds functions that can be used by including the
whole
> > file and then calling the wanted function.
>
> But what do you want to encode, why?
Just using the function for encode some pages source code.
For prevent kidding .
> > PS: think again in adding a salt to session_hash generation.if you want
> > tell me for do it.
>
> There is no problem to do it, but get something working on your test
> install, and then commit it to a branch, for instance the branch for
> register_globals (same scope), so we keep the trunk working.
I will try to get working a copy of savane in my home server.
I hope it will not very difficult .
> Regards,
>
> --
> Mathieu Roy
>
> +---------------------------------------------------------------------+
> | General Homepage: http://yeupou.coleumes.org/ |
> | Computing Homepage: http://alberich.coleumes.org/ |
> | Not a native english speaker: |
> | http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english |
> +---------------------------------------------------------------------+
>
> _______________________________________________
> Savane-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/savane-dev
>
>
