Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Collapse
44: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 1)
Posted by Kjell Wooding on 06/01/04 05:09 AM
Ye Gads. Shouldn't this issue deserve a top-level news item on the OpenACS site? Something like "Monstrous Security Hole: disable all HTML immediately!"

At least until a workaround is available!

Collapse
47: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 44)
Posted by Jade Rubick on 06/01/04 05:50 PM
Kjell is right: we need to have a process for communicating important security announcements like this.

I propose a separate security forum, that is only for security updates and warnings. I know nobody likes having separate forums because it can fragment conversations, but the advantage is that nobody should have to follow any of the other forums if they only want security updates. And security updates are pretty manditory.

You don't need to disable all HTML, Kjell, just not allow * for HTML.

Is this something that the OCT is willing to discuss and make some decisions about?

Collapse
49: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 47)
Posted by Dirk Gomez on 06/01/04 06:48 PM
Jade, unfortunately it is not entirely true that disallowing * for HTML will be enough.

If a remote page (called B) contains an img tag that GETs a URL on your site (called A), you GET this page on B, then you'll issue a GET request to your resource on A as well - with your credentials on A.

So HTML parsing WON'T solve this problem.

(However disallowing * will significantly reduce risk)