CGI::Session Security Concerns

From: "Dada Mail" <dada@PROTECTED>

Date: May 18th 2006

I got a report from a Dada Mail user that Dada Mail, 2 10 8 and below
comes with the CPAN perl module, CGI::Session The version that comes
with it, is in the 3 x series There seems to be some security
concerns with this version, some are described at:

http://bugs
debian
org/cgi-bin/bugreport
cgi?bug=356555

The new alpha comes with a copy of CGI::Session (ver 4 13, the most
recent) that has these security problems fixed Now, here's some
problems with anyone that's not using the alpha version of Dada Mail
(I'm thinking the majority of you)

* CGI::Session 4
13 will not work with any version of Dada Mail,

except the current 2 10 9 alpha version You'll need to upgrade, or:

* Install CGI::Session 4
13 and replace the, "dada/DADA/App/

Session pm file that comes with Dada Mail 2 10 9 alpha into your own
working copy of Dada Mail This should relieve the problem, but
hasn't been testing at all The easiest way to install CGI::Session
4 13 is to copy all the dada/DADA/perllib/CGI/Session* files from the
Dada Mail 2 10 9 alpha distribution into your current installed copy

* If you cannot get this to work correctly, you can try just

removing all the dada/DADA/perllib/CGI/Session* files Dada Mail
fallback to a session system that does not rely on this CPAN module
(handy, huh?)

* If the above doesn't work, open up dada/DADA/App/Session
pm and

find this method:

[snip]

sub can_use_cgi_session {

my $self = shift;
my $can_use_cgi_session = 0;

if($] >= 5
006_001){        
    eval {require CGI::Session};
    if(!$@){
        $can_use_cgi_session = 1;
    }
}

return $can_use_cgi_session;

} [/snip]

Change it to:

[snip] can_use_cgi_session return 0; } [/snip]

* If you have Dada Mail, that has a version number below 2
9, you

are unaffected

So, FYI - I don't have any live cases that the security issues
present in CGI::Session have caused any problems to any Dada Mail user

Also, if you can test out the alpha, most notably with the login/ logout/logging into a different list and make sure all those still
work, it would help me greatly The program is only as good as the
feedback I get

Cheers,

‹ Re: Dada Mail 2.10.9 alpha 1 Released.

Index

Re: CGI::Session Security Concerns ›

Email Address

You're OK with using your email address as your primary contact for this email discussion list; messages will be sent on your behalf

Unsubscribe at Anytime | Privacy Policy

This mailing list is a public mailing list - anyone may join or leave, at any time.
This mailing list is a group discussion list (unmoderated)
Start a new thread, email: dadadev@dadamailproject.com

This is the developer discussion mailing list for Dada Mail.

If you are just looking for support Dada Mail, consult the message boards at:

https://forum.dadamailproject.com

Documentation for Dada Mail:

https://dadamailproject.com/d

Specifically, see the Error FAQ:

https://dadamailproject.com/d/FAQ-errors.pod.html

To post to this list, send a message to:

mailto:dadadev@dadamailproject.com

All subscribers of this list may post to the list itself.

Topics that are welcome:

Constructive critiques on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
Bug/Error reports
Bug fixes
Request For Comments on any changes to the program
Help customizing Dada Mail for your own needs
Patches
Language Translations
Support Documentation/Doc editing, FAQ's, etc.
Discussion of any changes that you would like to be committed to the next version of Dada Mail -

Dada Mail is on Github:

https://github.com/justingit/dada-mail/

If you would like to fork, branch, send over PRs, open up issues, etc.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.