[bugs] [Bug 1161] Changed - Security hole related to HTTP_REFERER
bugs at bugs.horde.org
bugs at bugs.horde.org
Wed Jan 29 17:12:50 PST 2003
http://bugs.horde.org/show_bug.cgi?id=1161
*** shadow/1161 Wed Jan 29 16:33:26 2003
--- shadow/1161.tmp.20437 Wed Jan 29 17:12:50 2003
***************
*** 37,39 ****
--- 37,51 ----
This is why people should use cookie-based sessions. I don't consider this a
valid hole in IMP; if people use url-based sessions, this is what they open
themselves up to.
+
+ ------- Additional Comments From jroberts at forumone.com 01/29/03 17:12 -------
+ I understand this security issue is related to PHP's session support and not IMP
+ directly. However, if IMP is going to support the passing of session IDs in the
+ query string, it seems there should be more mention of the security risks
+ involved. For example, a section under "3. Securing IMP" in INSTALL would seem
+ appropriate. I grepped a freshly downloaded copy of IMP 3.1, and don't see any
+ mention of session/cookie/query string security issues. The closest I find is
+ "ENHANCEMENT: IMP no longer requires cookies to be enabled on the client" in
+ CHANGES.
+
+ Thanks for your attention to this. Overall, IMP is an oustanding bit of software.
More information about the bugs
mailing list