Comments on: Bugzilla changes http://blogs.gnome.org/ovitters/2009/09/14/bugzilla-changes/ Just another GNOME Blogs weblog Fri, 06 Jan 2012 11:41:44 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: James Henstridge http://blogs.gnome.org/ovitters/2009/09/14/bugzilla-changes/comment-page-1/#comment-437 James Henstridge Wed, 16 Sep 2009 01:25:02 +0000 http://blogs.gnome.org/ovitters/?p=176#comment-437 I noticed that you fixed the attachments to be served from bugzilla-attachments.gnome.org. That's a good start at closing the security hole, but it would be better to use a different domain all together. While this change prevents attackers from reading cookies associated with bugzilla.gnome.org and scripting the site, it still lets me read and set cookies associated with "*.gnome.org" or "gnome.org". That leaves open an avenue for injecting cookies into other gnome.org web apps. Depending on how they are structured, that could be used to steal sessions. I noticed that you fixed the attachments to be served from bugzilla-attachments.gnome.org.

That’s a good start at closing the security hole, but it would be better to use a different domain all together. While this change prevents attackers from reading cookies associated with bugzilla.gnome.org and scripting the site, it still lets me read and set cookies associated with “*.gnome.org” or “gnome.org”.

That leaves open an avenue for injecting cookies into other gnome.org web apps. Depending on how they are structured, that could be used to steal sessions.

]]> By: antimonio http://blogs.gnome.org/ovitters/2009/09/14/bugzilla-changes/comment-page-1/#comment-436 antimonio Mon, 14 Sep 2009 15:13:03 +0000 http://blogs.gnome.org/ovitters/?p=176#comment-436 Why not storing the extensions in the bugzilla.org repo in order to let bugzilla users find them more easily? Why not storing the extensions in the bugzilla.org repo in order to let bugzilla users find them more easily?

]]>