Re: CGI::Session Security Concerns

From: "Dada Mail" <dada@PROTECTED>

In-Reply-To: CGI::Session Security Concerns

Date: May 18th 2006

Sorry, that last snippet should have read:

[snip] sub can_use_cgi_session { return 0; } [/snip]

--
Justin Simoni

: Dada Mail "Write Once - Distribute Everywhere" Email Communication
Software

url: http://mojo skazat com ph: 720 436 7701 aolim: leaddadaist

On May 18, 2006, at 5:00 PM, Dada Mail ((Justin Simoni)) wrote:

I got a report from a Dada Mail user that Dada Mail, 2 10 8 and
below comes with the CPAN perl module, CGI::Session The version
that comes with it, is in the 3 x series There seems to be some
security concerns with this version, some are described at:

http://bugs debian org/cgi-bin/bugreport cgi?bug=356555

The new alpha comes with a copy of CGI::Session (ver 4 13, the
most recent) that has these security problems fixed Now, here's
some problems with anyone that's not using the alpha version of
Dada Mail (I'm thinking the majority of you)

CGI::Session 4 13 will not work with any version of Dada Mail,
except the current 2 10 9 alpha version You'll need to upgrade, or:

Install CGI::Session 4 13 and replace the, "dada/DADA/App/ Session pm file that comes with Dada Mail 2 10 9 alpha into your
own working copy of Dada Mail This should relieve the problem,
but hasn't been testing at all The easiest way to install
CGI::Session 4 13 is to copy all the dada/DADA/perllib/CGI/Session*
files from the Dada Mail 2 10 9 alpha distribution into your
current installed copy

If you cannot get this to work correctly, you can try just
removing all the dada/DADA/perllib/CGI/Session* files Dada Mail
fallback to a session system that does not rely on this CPAN module
(handy, huh?)

If the above doesn't work, open up dada/DADA/App/Session pm and
find this method:

[snip]

sub can_use_cgi_session {

my $self = shift; my $can_use_cgi_session = 0;

if($] >= 5 006_001){
eval {require CGI::Session}; if(!$@){ $can_use_cgi_session = 1; } }

return $can_use_cgi_session; } [/snip]

Change it to:

[snip] can_use_cgi_session return 0; } [/snip]

If you have Dada Mail, that has a version number below 2 9, you
are unaffected

So, FYI - I don't have any live cases that the security issues
present in CGI::Session have caused any problems to any Dada Mail
user

Also, if you can test out the alpha, most notably with the login/ logout/logging into a different list and make sure all those still
work, it would help me greatly The program is only as good as the
feedback I get

Cheers,

-- Justin Simoni

: Dada Mail "Write Once - Distribute Everywhere" Email
Communication Software

url: http://mojo skazat com ph: 720 436 7701 aolim: leaddadaist

--

Post: dadadev@skazat com

Unsubscribe: http://mojo skazat com/cgi-bin/dada/mail cgi/u/dadadev/

List Information:

Archive:

‹ CGI::Session Security Concerns

Index

Re: CGI::Session Security Concerns ›

Email Address

You're OK with using your email address as your primary contact for this email discussion list; messages will be sent on your behalf

Unsubscribe at Anytime | Privacy Policy

This mailing list is a public mailing list - anyone may join or leave, at any time.
This mailing list is a group discussion list (unmoderated)
Start a new thread, email: dadadev@dadamailproject.com

This is the developer discussion mailing list for Dada Mail.

If you are just looking for support Dada Mail, consult the message boards at:

https://forum.dadamailproject.com

Documentation for Dada Mail:

https://dadamailproject.com/d

Specifically, see the Error FAQ:

https://dadamailproject.com/d/FAQ-errors.pod.html

To post to this list, send a message to:

mailto:dadadev@dadamailproject.com

All subscribers of this list may post to the list itself.

Topics that are welcome:

Constructive critiques on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
Bug/Error reports
Bug fixes
Request For Comments on any changes to the program
Help customizing Dada Mail for your own needs
Patches
Language Translations
Support Documentation/Doc editing, FAQ's, etc.
Discussion of any changes that you would like to be committed to the next version of Dada Mail -

Dada Mail is on Github:

https://github.com/justingit/dada-mail/

If you would like to fork, branch, send over PRs, open up issues, etc.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.