Hi Arpad,
On Tue, Aug 6, 2013 at 4:17 AM, Arpad Ray <arraypad@gmail.com> wrote:
> On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
>> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray <arraypad@gmail.com> wrote:
>>
>>> I think there really should be a vote.
>>
>>
>> This means you don't really understand the true risk of this
>> vulnerability.
>> It allows permanent session ID fixation. This is CVE assigned
>> vulnerability.
>> Details are explained in the RFC and I don't want to explain fully in ML
>> again.
>> (We might discussed the details in security@php.net, but I think I wrote
>> enough info)
>>
>> Please refer to the RFC.
>>
>
> I do really understand the risk...
>
It allows "permanent" session ID fixation due to browser implementations.
To make matter worse than old days, recent browsers only send one
outstanding cookie. This made attack detection impossible at server side.
(i.e. bad countermeasure(?) took by browser developers)
If you curious about this vulnerability fix still, please read the RFC and
do a little experiments. I did the experiment 2 years ago (and even 10 years
ago). I suppose things are not changed.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net