Am 13.07.2008 um 01:37 schrieb Miguel Arroz:
Hi! Yap. From the Apple security announcements mail-list: WebObjects CVE-ID: CVE-2008-2318 Available for: Mac OS X v10.5.x Impact: WebObjects session IDs may be disclosed to other web sites Description: WebObjects contains an API to generate URLs in HTML documents via the WOHyperlink dynamic element. When WOHyperlink is used, it always appends a session ID to the generated URL, even for absolute URLs. Using WOHyperlink to create URLs that point at other web sites may result in the disclosure of the current user's session ID to those sites. This update addresses the issue by appending session IDs to absolute URLs only when explicitly requested.I'm still trying to understand this, specially what do they mean by "even for absolute URLs".
It means that even if you use a WOHyperlink with a href binding with a static string to e.g. an external site it would append the session id to that url automatically. With WO 5.3 it did so only if you added an extra binding ?wosid=true but with WO 5.4 / 5.4.1 it is the other way round.
jw
Yours Miguel Arroz On 2008/07/13, at 00:29, Joe Little wrote:apparently, there was a security issue in there resolved by this release. Likely: 5657595 WOHyperlink generates WOSID's on absolute URLs see http://www.macnn.com/articles/08/07/12/apple.xcode.tools.31/On Fri, Jul 11, 2008 at 6:09 PM, Pascal Robert <[EMAIL PROTECTED]> wrote:And WO 5.4.2 release notes : http://support.apple.com/kb/HT1979Available at the usual place. https://connect.apple.com -- Seeya...Q Quinton Dolan - [EMAIL PROTECTED] Gold Coast, QLD, Australia (GMT+10) Ph: +61 419 729 806 _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/probert%40macti.ca This email sent to [EMAIL PROTECTED]------------------------------------------------------- Pascal Robert http://www.macti.ca http://www.linkedin.com/in/macti Skype: MacTICanada AIM/iChat : MacTICanada _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/jmlittle%40gmail.com This email sent to [EMAIL PROTECTED]_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/arroz%40guiamac.com This email sent to [EMAIL PROTECTED]http://www.survs.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/werner%40isd.uni-stuttgart.de This email sent to [EMAIL PROTECTED]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
