2008/11/7 Andrea De Iacovo [EMAIL PROTECTED]:
Il giorno ven, 07/11/2008 alle 15.36 -0600, Raphael Geissert ha scritto:
You can also set cookies via javascript code, e.g.
scriptdocument.cookie = GLOBALS=1;domain=.domain.tld; /script
ok that's true.
So let's see what we have:
1.
2008/11/8 Andrea De Iacovo [EMAIL PROTECTED]:
As for sure I can mention something in the readme file with the next
release.
Sure (OT: you may want to review the setup procedure too, because last
time I checked it was not very clear).
5. the issue is related to wordpress only and does not
Hi,
I don't think this is a grave security issue. It is only a DoS for one client
application, which requires another vulnerability to be present, can be
easily resolved by deleting the relevant cookies, and does no other harm. As
there are many ways to DoS (web)applications and the impact is
Hi,
2008/11/7 Thijs Kinkhorst [EMAIL PROTECTED]:
Hi,
I don't think this is a grave security issue. It is only a DoS for one client
application, which requires another vulnerability to be present, can be
It is not just about the DoS (because as I demonstrated, there are
other possible
2008/11/7 Andrea De Iacovo [EMAIL PROTECTED]:
Hi,
It is not just about the DoS (because as I demonstrated, there are
other possible attacks).
The whole point is that wordpress' (ab)use of $_REQUEST is leading to
more and more possible attacks (as I also demonstrated by showing how
etch's
Hi,
2008/11/7 Thijs Kinkhorst [EMAIL PROTECTED]:
Hi,
I don't think this is a grave security issue. It is only a DoS for one
client
application, which requires another vulnerability to be present, can be
It is not just about the DoS (because as I demonstrated, there are
other
Il giorno ven, 07/11/2008 alle 15.36 -0600, Raphael Geissert ha scritto:
2008/11/7 Andrea De Iacovo [EMAIL PROTECTED]:
Hi,
It is not just about the DoS (because as I demonstrated, there are
other possible attacks).
The whole point is that wordpress' (ab)use of $_REQUEST is leading to
2008/11/7 Andrea De Iacovo [EMAIL PROTECTED]:
Il giorno ven, 07/11/2008 alle 15.36 -0600, Raphael Geissert ha scritto:
You can also set cookies via javascript code, e.g.
scriptdocument.cookie = GLOBALS=1;domain=.domain.tld; /script
ok that's true.
So let's see what we have:
1. $_REQUEST
On 8-11-2008 0:09, Andrea De Iacovo wrote:
6. we can try to prepare a workaround while we wait an officile fix from
upstream: maybe I could implement a function to check out if dangerous
cookies are present and stop any other operation until those cookies are
not removed.
There is an easy
9 matches
Mail list logo
