A long-term and easily addressed security issue with tango/witango is the use
of _userreference argument in the URL. The builders default to using this.
LIkely, back in the early pre-pleistocene days of tango, it was practical to
pass this argument in the URL because of cookies being blocked or something
like that. Using this feature enables session hijacking and other evils. If you
use builders, you should strip out this URL argument. Otherwise, don't do it.
On Dec 3, 2010, at 11:14 AM, Deutschendorf, Steve {Dutch} (MSFC-IS30) wrote:
> Well, I misspoke, we also have a few v5.0.1 sites.
>
>
> Thanks, Robert.
>
> Steve Deutschendorf/IS30
> NASA/Marshall Space Flight Center
> Office of the CIO/Applications Team
> MSFC Account Authorization Official (AAO),
> MAMS/MIW, NISE, NAMS, MICS, AIM, SRS
> Phone: 256-544-2250
>
>
> From: Robert Garcia <wita...@bighead.net>
> Reply-To: "Witango-Talk@witango.com" <Witango-Talk@witango.com>
> Date: Fri, 3 Dec 2010 13:00:30 -0600
> To: "Witango-Talk@witango.com" <Witango-Talk@witango.com>
> Subject: Re: Witango-Talk: Alternate Dumb Question Thread: Security
>
> The only real security issue we ever worried about with witango, is SQL
> injection, and then just poor coding as it relates to login methodologies
> where there are "holes", that would occur on any platform. So you should
> always use BIND or database actions, not custom inserts/updates when user
> inputted data is going into a query.
>
> Witango had a flaw that was patched, so make sure you are on the latest 5.5.
> Witango will be secure, because it has so little market share, no one is
> likely to work to exploit it. Anyway, other than that one buffer overflow
> security patch, I have not seen or heard of a security flaw that was related
> to witango, it has always been due to poor coding.
>
> --
>
> Robert Garcia
> President - BigHead Technology
> VP Application Development - eventpix.com <http://eventpix.com>
> 15520 Coutelenc Rd
> Magalia, Ca 95954
> ph: 530.645.4040 x222 fax: 530.645.4040
> rgar...@bighead.net - rgar...@eventpix.com
> http://bighead.net/ - http://eventpix.com/
>
> On Dec 3, 2010, at 10:41 AM, Deutschendorf, Steve {Dutch} (MSFC-IS30) wrote:
>
>> Folks,
>>
>> We've had (Wi)Tango around for a dozen years and I can say it's been worry
>> free in our environment. The fact that it still functions after various
>> degrees of support (or not) over those years is a credit to the foundational
>> work. I can't say that I've seen much discussion on the security
>> implications of the product along the way, so let me ask...
>>
>> What are the security implications in remaining with v5.5 for some of our
>> legacy applications? Looks like we'll be moving to a different environment
>> over time (for various support reasons), so I just wanted to appreciate the
>> risk of hanging with my current version. I realize the product/OS support
>> will eventually force an upward migration. Are there current issues with
>> v5.5 that I may be unaware or is it by it’s very nature strictly dependent
>> on the security gaps in the OS or database?
>>
>>
>> Thanks,
>>
>> Steve Deutschendorf/IS30
>> NASA/Marshall Space Flight Center
>> Office of the CIO/Applications Team
>> Phone: 256-544-2250
>>
>>
>> To unsubscribe from this list, please send an email to lists...@witango.com
>> with "unsubscribe witango-talk" in the body.
>
>
> To unsubscribe from this list, please send an email to lists...@witango.com
> with "unsubscribe witango-talk" in the body.
>
> To unsubscribe from this list, please send an email to lists...@witango.com
> with "unsubscribe witango-talk" in the body.
----------------------------------------
To unsubscribe from this list, please send an email to lists...@witango.com
with "unsubscribe witango-talk" in the body.
