Then a user can still hijack a session through a URL, as long as they know the value of the identifier.
-- Robert Garcia President - BigHead Technology VP Application Development - eventpix.com 15520 Coutelenc Rd Magalia, Ca 95954 ph: 530.645.4040 x222 fax: 530.645.4040 [email protected] - [email protected] http://bighead.net/ - http://eventpix.com/ On Dec 12, 2010, at 2:56 PM, Robert Shubert wrote: > This is not a function of the server. The server will first look for the > session cookie, then the search argument and finally a post argument, to > identify a userreference. This behavior can’t be changed. > > Robert > > From: Robert Garcia [mailto:[email protected]] > Sent: Friday, December 10, 2010 1:57 PM > To: [email protected] > Subject: Re: Witango-Talk: Alternate Dumb Question Thread: Security > > Thats a good point, but correct me if I am wrong, that is not enough. You > must also disable witango from parsing the URL looking for the userreference, > or session can still be hijacked. I think that is in system configuration. > > -- > > Robert Garcia > President - BigHead Technology > VP Application Development - eventpix.com > 15520 Coutelenc Rd > Magalia, Ca 95954 > ph: 530.645.4040 x222 fax: 530.645.4040 > [email protected] - [email protected] > http://bighead.net/ - http://eventpix.com/ > > On Dec 10, 2010, at 10:07 AM, Roland Dumas wrote: > > > A long-term and easily addressed security issue with tango/witango is the use > of _userreference argument in the URL. The builders default to using this. > LIkely, back in the early pre-pleistocene days of tango, it was practical to > pass this argument in the URL because of cookies being blocked or something > like that. Using this feature enables session hijacking and other evils. If > you use builders, you should strip out this URL argument. Otherwise, don't do > it. > > > > On Dec 3, 2010, at 11:14 AM, Deutschendorf, Steve {Dutch} (MSFC-IS30) wrote: > > > Well, I misspoke, we also have a few v5.0.1 sites. > > > Thanks, Robert. > > Steve Deutschendorf/IS30 > NASA/Marshall Space Flight Center > Office of the CIO/Applications Team > MSFC Account Authorization Official (AAO), > MAMS/MIW, NISE, NAMS, MICS, AIM, SRS > Phone: 256-544-2250 > > > From: Robert Garcia <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Fri, 3 Dec 2010 13:00:30 -0600 > To: "[email protected]" <[email protected]> > Subject: Re: Witango-Talk: Alternate Dumb Question Thread: Security > > The only real security issue we ever worried about with witango, is SQL > injection, and then just poor coding as it relates to login methodologies > where there are "holes", that would occur on any platform. So you should > always use BIND or database actions, not custom inserts/updates when user > inputted data is going into a query. > > Witango had a flaw that was patched, so make sure you are on the latest 5.5. > Witango will be secure, because it has so little market share, no one is > likely to work to exploit it. Anyway, other than that one buffer overflow > security patch, I have not seen or heard of a security flaw that was related > to witango, it has always been due to poor coding. > > -- > > Robert Garcia > President - BigHead Technology > VP Application Development - eventpix.com <http://eventpix.com> > 15520 Coutelenc Rd > Magalia, Ca 95954 > ph: 530.645.4040 x222 fax: 530.645.4040 > [email protected] - [email protected] > http://bighead.net/ - http://eventpix.com/ > > On Dec 3, 2010, at 10:41 AM, Deutschendorf, Steve {Dutch} (MSFC-IS30) wrote: > > > Folks, > > We've had (Wi)Tango around for a dozen years and I can say it's been worry > free in our environment. The fact that it still functions after various > degrees of support (or not) over those years is a credit to the foundational > work. I can't say that I've seen much discussion on the security implications > of the product along the way, so let me ask... > > What are the security implications in remaining with v5.5 for some of our > legacy applications? Looks like we'll be moving to a different environment > over time (for various support reasons), so I just wanted to appreciate the > risk of hanging with my current version. I realize the product/OS support > will eventually force an upward migration. Are there current issues with > v5.5 that I may be unaware or is it by it’s very nature strictly dependent on > the security gaps in the OS or database? > > > Thanks, > > Steve Deutschendorf/IS30 > NASA/Marshall Space Flight Center > Office of the CIO/Applications Team > Phone: 256-544-2250 > > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. > > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. > > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. > > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. > > To unsubscribe from this list, please send an email to [email protected] > with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body.
