Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All

Request #8877 Security issue: Preventing session hijacking
Submitted: 2006-10-06 14:29 UTC
From: lyric680-web at yahoo dot de Assigned:
Status: Open Package: Text_Wiki2
PHP Version: 5.0.5 OS: Linux
Roadmaps: (Not assigned)    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 30 - 24 = ?

 
 [2006-10-06 14:29 UTC] lyric680-web at yahoo dot de (Cyril)
Description: ------------ When Text_Wiki is integrated in a site that allows a session id to be transmitted through urls the session id would also be sent to external sites through the referer by the users browser. This can be prevented by using a local or external derefer (http://en.wikipedia.org/wiki/Dereferer). For this all external urls like 'http://www.google.com' have to be translated to something like 'http://derefer.php?url=http://www.google.com'. AFAIK Text_Wiki does not support such a translation yet.

Comments

 [2006-10-06 16:03 UTC] lyric680-web at yahoo dot de
Maybe a render configuration key 'href' for the 'url' rule would be a solution: setRenderConf('xhtml', 'url', 'href', 'http://derefer.php?url=%s');
 [2011-03-27 19:37 UTC] till (Till Klampaeckel)
-Package: Text_Wiki +Package: Text_Wiki2