There was a long thread about this vulnerability way back when. I even experienced it once where I was sent a URL that had the userref on it and joined a session, seeing lots of stuff that shouldn't be shared.
Prevention is easy. Just don't do it. Sent from my iPhone On Dec 12, 2010, at 8:01 PM, Robert Garcia <wita...@bighead.net> wrote: > I guess, I thought I remembered you could alter that, but IMHO a good feature > would be to set the server to use cookies ONLY, so that a session could not > be hijacked via url or post. Otherwise, the security flaw is still there, you > just are limiting the "leakage" of userreference IDs. > > -- > > Robert Garcia > President - BigHead Technology > VP Application Development - eventpix.com > 15520 Coutelenc Rd > Magalia, Ca 95954 > ph: 530.645.4040 x222 fax: 530.645.4040 > rgar...@bighead.net - rgar...@eventpix.com > http://bighead.net/ - http://eventpix.com/ > > On Dec 12, 2010, at 2:56 PM, Robert Shubert wrote: > >> This is not a function of the server. The server will first look for the >> session cookie, then the search argument and finally a post argument, to >> identify a userreference. This behavior can’t be changed. >> >> Robert >> >> From: Robert Garcia [mailto:wita...@bighead.net] >> Sent: Friday, December 10, 2010 1:57 PM >> To: Witango-Talk@witango.com >> Subject: Re: Witango-Talk: Alternate Dumb Question Thread: Security >> >> Thats a good point, but correct me if I am wrong, that is not enough. You >> must also disable witango from parsing the URL looking for the >> userreference, or session can still be hijacked. I think that is in system >> configuration. >> >> -- >> >> Robert Garcia >> President - BigHead Technology >> VP Application Development - eventpix.com >> 15520 Coutelenc Rd >> Magalia, Ca 95954 >> ph: 530.645.4040 x222 fax: 530.645.4040 >> rgar...@bighead.net - rgar...@eventpix.com >> http://bighead.net/ - http://eventpix.com/ >> >> On Dec 10, 2010, at 10:07 AM, Roland Dumas wrote: >> >> >> A long-term and easily addressed security issue with tango/witango is the >> use of _userreference argument in the URL. The builders default to using >> this. LIkely, back in the early pre-pleistocene days of tango, it was >> practical to pass this argument in the URL because of cookies being blocked >> or something like that. Using this feature enables session hijacking and >> other evils. If you use builders, you should strip out this URL argument. >> Otherwise, don't do it. >> >> >> >> On Dec 3, 2010, at 11:14 AM, Deutschendorf, Steve {Dutch} (MSFC-IS30) wrote: >> >> >> Well, I misspoke, we also have a few v5.0.1 sites. >> >> >> Thanks, Robert. >> >> Steve Deutschendorf/IS30 >> NASA/Marshall Space Flight Center >> Office of the CIO/Applications Team >> MSFC Account Authorization Official (AAO), >> MAMS/MIW, NISE, NAMS, MICS, AIM, SRS >> Phone: 256-544-2250 >> >> >> From: Robert Garcia <wita...@bighead.net> >> Reply-To: "Witango-Talk@witango.com" <Witango-Talk@witango.com> >> Date: Fri, 3 Dec 2010 13:00:30 -0600 >> To: "Witango-Talk@witango.com" <Witango-Talk@witango.com> >> Subject: Re: Witango-Talk: Alternate Dumb Question Thread: Security >> >> The only real security issue we ever worried about with witango, is SQL >> injection, and then just poor coding as it relates to login methodologies >> where there are "holes", that would occur on any platform. So you should >> always use BIND or database actions, not custom inserts/updates when user >> inputted data is going into a query. >> >> Witango had a flaw that was patched, so make sure you are on the latest 5.5. >> Witango will be secure, because it has so little market share, no one is >> likely to work to exploit it. Anyway, other than that one buffer overflow >> security patch, I have not seen or heard of a security flaw that was related >> to witango, it has always been due to poor coding. >> >> -- >> >> Robert Garcia >> President - BigHead Technology >> VP Application Development - eventpix.com <http://eventpix.com> >> 15520 Coutelenc Rd >> Magalia, Ca 95954 >> ph: 530.645.4040 x222 fax: 530.645.4040 >> rgar...@bighead.net - rgar...@eventpix.com >> http://bighead.net/ - http://eventpix.com/ >> >> On Dec 3, 2010, at 10:41 AM, Deutschendorf, Steve {Dutch} (MSFC-IS30) wrote: >> >> >> Folks, >> >> We've had (Wi)Tango around for a dozen years and I can say it's been worry >> free in our environment. The fact that it still functions after various >> degrees of support (or not) over those years is a credit to the foundational >> work. I can't say that I've seen much discussion on the security >> implications of the product along the way, so let me ask... >> >> What are the security implications in remaining with v5.5 for some of our >> legacy applications? Looks like we'll be moving to a different environment >> over time (for various support reasons), so I just wanted to appreciate the >> risk of hanging with my current version. I realize the product/OS support >> will eventually force an upward migration. Are there current issues with >> v5.5 that I may be unaware or is it by it’s very nature strictly dependent >> on the security gaps in the OS or database? >> >> >> Thanks, >> >> Steve Deutschendorf/IS30 >> NASA/Marshall Space Flight Center >> Office of the CIO/Applications Team >> Phone: 256-544-2250 >> >> >> To unsubscribe from this list, please send an email to lists...@witango.com >> with "unsubscribe witango-talk" in the body. >> >> >> To unsubscribe from this list, please send an email to lists...@witango.com >> with "unsubscribe witango-talk" in the body. >> >> To unsubscribe from this list, please send an email to lists...@witango.com >> with "unsubscribe witango-talk" in the body. >> >> >> To unsubscribe from this list, please send an email to lists...@witango.com >> with "unsubscribe witango-talk" in the body. >> >> >> To unsubscribe from this list, please send an email to lists...@witango.com >> with "unsubscribe witango-talk" in the body. >> >> To unsubscribe from this list, please send an email to lists...@witango.com >> with "unsubscribe witango-talk" in the body. > > > To unsubscribe from this list, please send an email to lists...@witango.com > with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to lists...@witango.com with "unsubscribe witango-talk" in the body.
