Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All

Request #8877 Security issue: Preventing session hijacking
Submitted: 2006-10-06 14:29 UTC
From: lyric680-web at yahoo dot de Assigned:
Status: Open Package: Text_Wiki2
PHP Version: 5.0.5 OS: Linux
Roadmaps: (Not assigned)    
Subscription  
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link. If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
2011-03-27 19:37 UTC
Package:
Bug Type:
Summary:
From: lyric680-web at yahoo dot de
New email:
PHP Version: Package Version: OS:

 

 [2006-10-06 14:29 UTC] lyric680-web at yahoo dot de (Cyril)
Description: ------------ When Text_Wiki is integrated in a site that allows a session id to be transmitted through urls the session id would also be sent to external sites through the referer by the users browser. This can be prevented by using a local or external derefer (http://en.wikipedia.org/wiki/Dereferer). For this all external urls like 'http://www.google.com' have to be translated to something like 'http://derefer.php?url=http://www.google.com'. AFAIK Text_Wiki does not support such a translation yet.

Comments

 [2006-10-06 16:03 UTC] lyric680-web at yahoo dot de
Maybe a render configuration key 'href' for the 'url' rule would be a solution: setRenderConf('xhtml', 'url', 'href', 'http://derefer.php?url=%s');
 [2011-03-27 19:37 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!