Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities
Fabio Tranchitella
kobold at kobold.it
Sat Apr 5 17:23:40 UTC 2008
Hello,
* 2008-04-05 14:01, Florian Weimer wrote:
> * Nico Golde:
>
> > While I agree that the cookie issues and the session id
> > issue is not of an high impact I still think that at least
> > the CSRF issue should be fixed cause the exploit scenario
> > has a certain real life importance.
>
> The __ac cookie issue is significant as well if the secure flag is not
> set on the cookie even if login happens over HTTPS.
I can't say anything else than "I fully agree", but on a public IRC channel
(irc.freenode.net#plone) I only got useless answers from some core Plone
developers telling me that these problems are kindergarten.
I know that Wichert is working on some of these issues, and this branch
will be released as Plone 3.1, but I couldn't find the exact list of issues
addressed.
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
More information about the pkg-zope-developers
mailing list