-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <[EMAIL PROTECTED]>, mindlace <[EMAIL PROTECTED]>
writes
>This link should show you all the cookies you have at www.zope.org:
>
>http://www.securityspace.com%2fexploit%2fexploit_1b.html%3fdomain==.www.zope.org
>/#exploit_1
> 

Interesting.  I run a Javascript free site anyway :-)

>
>I will, however, look into other possibilities, like maybe your password
>could be filled in server side, if some appropriate check can be made.

That's what I do.  I store the userid and a sessionid in the user's
cookie cache as a permanent (optional) cookie, and if they both match
with what I have saved server side, then I display the userid and
password which has also been stored server side.

Obviously this is also vulnerable :-(

- -- 
Regards,  Graham Chiu
gchiu<at>compkarori.co.nz
http://www.compkarori.co.nz/index.php
Powered by Interbase and Zope

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBOSlKLbTRdIWzaLpMEQKsAQCcCDyUGBbH4iSP95kWtTW+JX5CrtkAoP3d
3QBPS4irbCnFOl442OgJgboG
=EJJM
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to