Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All

Request #8877 Security issue: Preventing session hijacking
Submitted: 2006-10-06 14:29 UTC
From: lyric680-web at yahoo dot de Assigned:
Status: Open Package: Text_Wiki2
PHP Version: 5.0.5 OS: Linux
Roadmaps: (Not assigned)    
Subscription  
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes. If this is not your bug, you can add a comment by following this link. If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
2011-03-27 19:37 UTC
Package:
Bug Type:
Summary:
From: lyric680-web at yahoo dot de
New email:
PHP Version: Package Version: OS:

 

 [2006-10-06 14:29 UTC] lyric680-web at yahoo dot de (Cyril)
Description: ------------ When Text_Wiki is integrated in a site that allows a session id to be transmitted through urls the session id would also be sent to external sites through the referer by the users browser. This can be prevented by using a local or external derefer (http://en.wikipedia.org/wiki/Dereferer). For this all external urls like 'http://www.google.com' have to be translated to something like 'http://derefer.php?url=http://www.google.com'. AFAIK Text_Wiki does not support such a translation yet.

Comments

 [2006-10-06 16:03 UTC] lyric680-web at yahoo dot de
Maybe a render configuration key 'href' for the 'url' rule would be a solution: setRenderConf('xhtml', 'url', 'href', 'http://derefer.php?url=%s');
 [2011-03-27 19:37 UTC] till (Till Klampaeckel)
-Package: Text_Wiki +Package: Text_Wiki2