On Tue, 23 Apr 1996, Dave Barr wrote:
> It looks like the cookie (for subscribe=..+confirm) used by
> majordomo is trivially easy to compute by a third party. I notice
> there's some attempt at randomization thrown in by the $cookie_seed
> variable, however this variable is never set!
>
> I propose a fix like this: cookie generation would be
> done by a one-way hashing function f($list,$action,$subscriber,$admin_passwd)
> That would take away the ability to compute the cookie unless you knew
> admin_passwd.
I would hate to have the admin_passwd be part of any hashing. How about
adding in the time (down to the second). Thus guaranteeing a unique code
each time around.
I forsee a problem though with majordomo recognizing this code as valid
when it comes back, since the time has changed. I have a few ideas for a
solution, but I'm sure there are better ones out there than actually
saving the code on the system (not SO bad if the codes are purged every 48
hours or so). Maybe using the date instead?
-------------------------------------------------------------------------
| Brock Rozen | brozen@netvoyage.net | http://www.netvoyage.net/~brozen |
| Check out my Auto-Reply System -- Send me mail with subject SEND HELP |
-------------------------------------------------------------------------
Follow-Ups:
References:
|
|
