Bug#473571: plone3: CVE-2008-139[3-6] multiple vulnerabilities
Nico Golde
nion at debian.org
Sun Apr 6 13:53:16 UTC 2008
Hi Fabio,
* Fabio Tranchitella <kobold at kobold.it> [2008-04-05 19:27]:
> * 2008-04-05 14:01, Florian Weimer wrote:
> > * Nico Golde:
> >
> > > While I agree that the cookie issues and the session id
> > > issue is not of an high impact I still think that at least
> > > the CSRF issue should be fixed cause the exploit scenario
> > > has a certain real life importance.
> >
> > The __ac cookie issue is significant as well if the secure flag is not
> > set on the cookie even if login happens over HTTPS.
>
> I can't say anything else than "I fully agree", but on a public IRC channel
> (irc.freenode.net#plone) I only got useless answers from some core Plone
> developers telling me that these problems are kindergarten.
I know why I'm not using that cruft ;D
> I know that Wichert is working on some of these issues, and this branch
> will be released as Plone 3.1, but I couldn't find the exact list of issues
> addressed.
Well I don't see a real problem with that, I think they
should have a certain interest in having their release in
lenny. I'm no webapps guy but maybe someone else will have
the time to look into that in more detail...
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20080406/570f51e5/attachment.pgp
More information about the pkg-zope-developers
mailing list