On Mon, Feb 8, 2010 at 12:33 PM, mobi phil <[email protected]> wrote:
>
> First user retrieves for editing his own post. Then when saving he could
> impersonate the other user by sending to save a post of the first user
> (changing the ID of the object).
>
> Or is it the ID not part of the http message when you save a post. If
> not how are
> the objects identified? Is there a hash value generated that would
> make impossible to send
> random ID's etc?
>
> Koen, maybe it is nonsense what I am discussing, but would not mind to
> get references to
> how this is implemented... Of course I could spend some hours looking
> at the code... etc.
>
>
Thanks mobi for bringing up the topic.
I too would be interested in seeing a document that explains why
the attack vector you sketch would fail by measures explicitely
taken to counter act them.
> > Nevertheless, we take security seriously,
> I am convinced. However I am sure that challenging it time to time
> gives more confidence
> both to the community and you.
>
> > convinced that there is a security problem and think of a way of
> > triggering it, you can easily convince us by demonstrating it ?
>
I think this should be the other way around.
Security should not be by obscurity. So the burden is on Emweb to
show by what security measures and general design measures Wt is secure.
So what are the invariants that ensure that Wt sessions cannot be hijacked?
If you share this information the community could then evaluate the Wt
security model without having
to keep up with the daily evolution of the code.
Cheers,
Maurice
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
