[dokuwiki] CookieMonster
- From: Paul Oldham <paul@xxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 12 Sep 2008 08:32:12 +0100
This article in The Register[1] drew my attention to a possible security
flaw where secure web sites don't secure their cookies thus allowing
"sidejacking" attacks. I updated one of my other projects yesterday
which was affected by this.
Today I was logging into our Wiki, which is SSL encrypted, and I took a
look at the cookies and I see the cookies DokuWiki is setting are sent
over any connection not just encrypted ones. My understanding is that
this means that DokuWiki sites may be vulnerable to attacks using the
CookieMonster toolkit.
I'm using the 2008-05-05 - has this been fixed more recently or is this
something that needs to be addressed?
--
Paul
[1] http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
- Follow-Ups:
- [dokuwiki] Re: CookieMonster
- From: Andy Webber
Other related posts:
- » [dokuwiki] CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- » [dokuwiki] Re: CookieMonster
- [dokuwiki] Re: CookieMonster
- From: Andy Webber