"Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> tapota :
> Hi,
>
>> "Lorenzo Hernandez Garcia-Hierro" <[EMAIL PROTECTED]> tapota :
>>
>>
>> >
>> > cryp method uses "single line" encryption , there is no key to encrypt .
>> > md5 hashes a string when given to the function ( md5($string) ) .
>> > i refer to a book: Ed. Ra-Ma Cryptography for Data Protection :
>> > ( spanish book ):
>> > md5 is used to give hash from a plain string , md5 has the possibility
> of
>> > include a salt based on another string
>> > that must be an epochtime salt ( epochtime ouput or similar ) and a
> random
>> > num,ber salt.
>> >
>> > It is simple, md5 hashes the $pre_hash and $truluxalt.
>> > the salt is only for provide more entropy to the generated hash.
>> > and i made this because this "little" porblem:
>> > /account/login.php t line 91 we have a funny function that we can use to
>> > delete other users session hashes.
>> > this is the buggy code:
>> >
>> > -SNIP-
>> > if ($session_hash)
>> > {
>> > #nuke their old session
>> > session_cookie('session_hash','');
>> > db_query("DELETE FROM session WHERE session_hash='$session_hash'");
>> > }
>> > -SNIP-
>> >
>> > understanding the "nuke their sesion" :)
>> > just send a request or write a script to send requests with random
> session
>> > hashes or
>> > simply use * wildcard , or try to inject SQL queries.
>> > we can set session_hash to anything we want .
>> > ----
>> > I think Mathiu removed that function but there was in.
>>
>> I did. I need the trunk to be working. Unless there is a need to
>> change this kind of function due to a bug, they should not really
>> change on the trunk, especially not before a release.
>>
>>
>> >> Also, your addition of frontend/php/security/security-lib.php (I'm
>> >> talking about the XOR encoding function, here) seems to be aiming more
>> >> toward security through obscurity than... well any other purpose.
>> >
>> > XOR is easily decoded , just use perl to do it.
>>
>> I am not sure to understand how it was planned to be used, for what
>> purpose.
>
> For provide source code obscurity to some webpages.
I still dont get why would you do that? That's not security. It just
provides misleading feeling of security.
>> >> By using this function you are not only A) telling all search engines
>> >> you do not want their business and B) telling visitors without
>> >> javascript-enabled browsers you do not want their business either.
>> >>
>> >> You are also making any page that Savane generates non-HTML compliant
>> >> for the purpose of "security."
>> >
>> > Not all the pages will be encoded.
>> > Security library just adds functions that can be used by including the
> whole
>> > file and then calling the wanted function.
>>
>> But what do you want to encode, why?
>
> Just using the function for encode some pages source code.
> For prevent kidding .
Well, people can just grab Savane sourcecode. In the best case, it
will just annoy loyal users.
>> > PS: think again in adding a salt to session_hash generation.if you want
>> > tell me for do it.
>>
>> There is no problem to do it, but get something working on your test
>> install, and then commit it to a branch, for instance the branch for
>> register_globals (same scope), so we keep the trunk working.
>
> I will try to get working a copy of savane in my home server.
> I hope it will not very difficult .
If you follow the INSTALL.verbose, it should not be.
Regards,
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english |
+---------------------------------------------------------------------+
