lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 3 Oct 2013 10:39:39 -0400
From: "G. S. McNamara" <main@...cnamara.com>
To: Paul McMillan <paul@...illan.ws>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Django] Cookie-based session storage session
 invalidation issue

Hi Paul,

The documentation you linked to was updated yesterday to reflect the issue
I brought up with cookie-stored sessions.

Again, the behavior is a surprise to most developers.


Thanks!

G. S. McNamara


On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul@...illan.ws> wrote:

> G. S. McNamara:
>
> Perhaps next you will disclose that if an attacker obtains a user's
> password, they can log in as that user. Seriously, "full disclosure"
> of well documented behavior is not particularly impressive.
>
>
> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>
> Cheers,
> -Paul
>
> > From: "G. S. McNamara" <main@...cnamara.com>
> > To: <full-disclosure@...ts.grok.org.uk>
> > Subject: [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue
> >
> > FD,
> >
> > I’m back!
> >
> > Django versions 1.4 – 1.7 offer a cookie-based session storage option
> (not the default > this time) that is afflicted by the same issue I posted
> about previously concerning Ruby > on Rails:
> >
> > If you obtain a user’s cookie, even if they log out, you can still log
> in as them.
> >
> > The short write-up is here, if needed:
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
> >
> > Cheers,
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ