[cl-weblocks-ticket] #45: Don't use gensym for actions to avoid XSS attacks
cl-weblocks
cl-weblocks-devel at common-lisp.net
Wed Aug 1 12:14:11 UTC 2007
#45: Don't use gensym for actions to avoid XSS attacks
-----------------------+----------------------------------------------------
Reporter: anonymous | Owner: sakhmechet
Type: defect | Status: new
Priority: critical | Milestone:
Component: weblocks | Version:
Keywords: security |
-----------------------+----------------------------------------------------
gensym-based action urls can be guessed and thus the following attack is
possible:
A user has his weblock-based bank system open. In gmail, the user gets a
link to a web-page that will generate lots of guessed action urls that
transfers funds out of the users bank account.
Ways to fix:
1. Require session id in URLs[[BR]]
2. Or, generate stronger non-gensym based action ids
--
Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45>
cl-weblocks <http://common-lisp.net/project/cl-weblocks>
cl-weblocks
More information about the Cl-weblocks-ticket
mailing list