Skip Menu |

This queue is for tickets about the CGI-Application-Plugin-CAPTCHA CPAN distribution.

Report information
The Basics
Id: 30759
Status: new
Priority: 0/
Queue: CGI-Application-Plugin-CAPTCHA
People
Owner: Nobody in particular
Requestors: klinteberg [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Nov 15 14:52:31 2007 klinteberg [...] gmail.com - Ticket created
Subject: not secure
Date: Thu, 15 Nov 2007 19:51:52 +0000
To: bug-cgi-application-plugin-captcha [...] rt.cpan.org
From: "Ludvig af Klinteberg" <klinteberg [...] gmail.com>
I might be horribly wrong, but I really think that CGI::Application::Plugin::Captcha is unsafe. A malicious programmer creating an application to use the service can just have his application send along a cookie that he has created himself, and with that supply an appropriate verification string for his cookie. To avoid that you need to include som kind of hidden server-side password in the string being encrypted, and also include it when you verify. -- Ludvig af Klinteberg Show quoted text
_____________________ The Yacht Week Mob: +46702403562 ludvig@theyachtweek.com www.theyachtweek.com