[Typo3-dev] Security Problem - HTML
Peter Russ :: 4Dfx
peter.russ at 4dfx.de
Tue Sep 23 16:41:26 CEST 2003
Christoph Moeller schrieb:
> René Fritz schrieb:
>
>> So why not make the security stronger than to make workarounds. Which
>> means to include the IP from where a user logged in, in the current
>> session.
>>
>> Then an attacker have to steal the cookie AND have to simulate the IP
>> which is really hard to do.
>
>
> Good one - /me taking the wooden board off of his forehead...
> Should be fairly more easy than fiddling with regexp's to do malicious
> html code detection/notification.
>
> Is that a big deal in terms of code changes? I personally don't exactly
> know at what places the BE cookie is checked for.
>
Why not handle that in JS and just extend the onload function in the way
you feel confident. And then it's up to you to decide what's black or
white and if it make's sense to forward a cookie by GET and if the IP is ok.
I guess this would produce less overhead than scanning the whole page.
Regs. Peter.
www.ebconclub.net
More information about the TYPO3-dev
mailing list