* Bill Moseley <[EMAIL PROTECTED]> [2008-10-01 20:45]:
> Where on the risk spectrum is CSRF compared to, say, session
> hijacking?
It’s even harder than XSS to pull off, and requires even closer
involvement of the attacker, but if they succeed, they can
overcome barriers that could prevent an XSS
* John Beppu <[EMAIL PROTECTED]> [2008-10-02 02:40]:
> Have any of you ::Engine::HTTP::Prefork users written init
> scripts for starting and stopping your Catalyst apps?
I must admit, not yet. The server I’m on is an RHEL5 VM – not my
choice, but I didn’t have another. Problem is, I couldn’t find
On Wed, Oct 01, 2008 at 04:58:51PM +0200, Jose Luis Martinez wrote:
> Tomas Doran escribió:
>
> >Unfortunately, there is no such thing as an LDAP credential module on
> >CPAN at the moment.
> >
>
> Catalyst::Authentication::Credential::Authen::Simple should do the
> trick.
> http://search.cpan
On Wed, Oct 01, 2008 at 08:48:33AM +0100, Dermot wrote:
> I would be interested. I would be nervous that I do not have the same
> level of skill or development exposure as some of the others. *Have I
> just voided my application*. We start an in-house project in the next
> month and I have recommen
On Tue, Sep 30, 2008 at 12:37:22PM -0400, Carlos Arenas wrote:
> i am very much interested.
>
> do you have pricing info available? and what is the profile for
> attendees of both types of sessions?
I'll reply to this off-list tomorrow; I'm trying to keep discussion of
details off the mailing li
On Wed, Oct 1, 2008 at 4:15 AM, Pedro Melo <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Sep 30, 2008, at 1:14 AM, Aristotle Pagaltzis wrote:
>
> * John Lee <[EMAIL PROTECTED]<[EMAIL PROTECTED]>>
>> [2008-09-29 16:05]:
>>
>>> What's the general concensus in the catalyst community
>>> nowadays? Is mod_f
On Wed, Oct 01, 2008 at 12:20:04PM +0200, Aristotle Pagaltzis wrote:
> * Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 09:25]:
> > The best way is to include a random string which has to be
> > stored somewhere for comparison on the server side.
>
> Doesn’t have to be stored. Send a random string a
Tomas Doran escribió:
Unfortunately, there is no such thing as an LDAP credential module on
CPAN at the moment.
Catalyst::Authentication::Credential::Authen::Simple should do the
trick.
http://search.cpan.org/~jlmartin/Catalyst-Authentication-Credential-Authen-Simple-0.02/lib/Catalyst/Auth
Am 01.10.2008 um 16:23 schrieb Aristotle Pagaltzis:
* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 12:55]:
but this does still rely on the fact that there is no XSS issue
on your page, doesn't it?
So what? If your site has an XSS hole, it’s already game over.
The attacker can inject Javascri
* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 12:55]:
> but this does still rely on the fact that there is no XSS issue
> on your page, doesn't it?
So what? If your site has an XSS hole, it’s already game over.
The attacker can inject Javascript that passes the same-origin
policy blockade, so the
Am 01.10.2008 um 14:20 schrieb Jonathan Rockway:
* On Wed, Oct 01 2008, Moritz Onken wrote:
I imagine a case where the attacker's site opens a iframe to your
site which exploits a XSS issue and can send the hole form
information back to the attacker's site. He has now the HMAC and
the random s
* On Wed, Oct 01 2008, Moritz Onken wrote:
> I imagine a case where the attacker's site opens a iframe to your
> site which exploits a XSS issue and can send the hole form
> information back to the attacker's site. He has now the HMAC and
> the random string.
I was under the impression that you co
Hi,
On Sep 30, 2008, at 1:14 AM, Aristotle Pagaltzis wrote:
* John Lee <[EMAIL PROTECTED]> [2008-09-29 16:05]:
What's the general concensus in the catalyst community
nowadays? Is mod_fastcgi preferred at large over mod_fcgid
these days?
Personally? ::Engine::HTTP::Prefork + ::Plugin::Static:
Am 01.10.2008 um 12:20 schrieb Aristotle Pagaltzis:
* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 09:25]:
The best way is to include a random string which has to be
stored somewhere for comparison on the server side.
Doesn’t have to be stored. Send a random string as well as a HMAC
digest o
* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 09:25]:
> The best way is to include a random string which has to be
> stored somewhere for comparison on the server side.
Doesn’t have to be stored. Send a random string as well as a HMAC
digest of a server secret plus the same string. To check a tok
On Wed, Oct 1, 2008 at 12:19 AM, Ashley <[EMAIL PROTECTED]> wrote:
>> Form template:
>>
>> [% USE Digest.SHA1 -%]
>>
>>
On my personal site I do similar to this, but using jQuery to
automatically add these to all forms and A links with
class="requires-token".
http://subtech.g.hatena.ne.jp/miya
On 1 Oct 2008, at 08:41, Stephan Jennewein wrote:
On Wednesday 01 October 2008 03:25:42 am Tomas Doran wrote:
On 1 Oct 2008, at 01:44, Stephan Jennewein wrote:
On Wednesday 01 October 2008 12:39:08 am Andy Grundman wrote:
What Catalyst engine are you using? What you described sounds like
th
2008/9/30 Carlos Arenas <[EMAIL PROTECTED]>:
> i am very much interested.
>
> do you have pricing info available? and what is the profile for
> attendees of both types of sessions?
>
> ca.
>
> On Tue, Sep 30, 2008 at 10:39, Matt S Trout <[EMAIL PROTECTED]> wrote:
>> Shadowcat are looking to start
On Wednesday 01 October 2008 03:25:42 am Tomas Doran wrote:
> On 1 Oct 2008, at 01:44, Stephan Jennewein wrote:
> > On Wednesday 01 October 2008 12:39:08 am Andy Grundman wrote:
> >> What Catalyst engine are you using? What you described sounds like
> >> the behavior with the default HTTP engine.
Am 01.10.2008 um 08:57 schrieb Ashley:
On Sep 30, 2008, at 11:13 PM, Aristotle Pagaltzis wrote:
* Ashley <[EMAIL PROTECTED]> [2008-09-30 19:30]:
If scripting is involved that makes it a XSS attack instead,
though. No?
No.
Yeah, that was unclear. I was talking about our own sites
and Cat a
Nope.
On Sep 30, 2008, at 11:57 PM, Ashley wrote:
Might be pretty simple in Cat stuff. The crux of the POST
issue seems that the target site's cookies are still safe
from the attacking site's POST.
...
Form template:
[% USE Digest.SHA1 -%]
This won't work because the attacker can grab i
On Sep 30, 2008, at 11:13 PM, Aristotle Pagaltzis wrote:
* Ashley <[EMAIL PROTECTED]> [2008-09-30 19:30]:
If scripting is involved that makes it a XSS attack instead,
though. No?
No.
Yeah, that was unclear. I was talking about our own sites
and Cat apps, not the web at large. It was in that
22 matches
Mail list logo