Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: XCode 3.1 is out.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XCode 3.1 is out.

Subject: Re: XCode 3.1 is out.
From: Johann Werner <email@hidden>
Date: Sun, 13 Jul 2008 10:24:57 +0200


Am 13.07.2008 um 01:37 schrieb Miguel Arroz:

Hi!

 Yap. From the Apple security announcements mail-list:

WebObjects
CVE-ID:  CVE-2008-2318
Available for:  Mac OS X v10.5.x
Impact:  WebObjects session IDs may be disclosed to other web sites
Description:  WebObjects contains an API to generate URLs in HTML
documents via the WOHyperlink dynamic element. When WOHyperlink is
used, it always appends a session ID to the generated URL, even for
absolute URLs. Using WOHyperlink to create URLs that point at other
web sites may result in the disclosure of the current user's session
ID to those sites. This update addresses the issue by appending
session IDs to absolute URLs only when explicitly requested.

I'm still trying to understand this, specially what do they mean by "even for absolute URLs".

It means that even if you use a WOHyperlink with a href binding with a static string to e.g. an external site it would append the session id to that url automatically. With WO 5.3 it did so only if you added an extra binding ?wosid=true but with WO 5.4 / 5.4.1 it is the other way round.

jw

 Yours

Miguel Arroz

On 2008/07/13, at 00:29, Joe Little wrote:

apparently, there was a security issue in there resolved by this
release. Likely:

5657595	WOHyperlink generates WOSID's on absolute URLs

see http://www.macnn.com/articles/08/07/12/apple.xcode.tools.31/

On Fri, Jul 11, 2008 at 6:09 PM, Pascal Robert <email@hidden> wrote:

And WO 5.4.2 release notes :

     http://support.apple.com/kb/HT1979

Available at the usual place.

https://connect.apple.com

--
Seeya...Q

Quinton Dolan - email@hidden
Gold Coast, QLD, Australia (GMT+10)
Ph: +61 419 729 806

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

-------------------------------------------------------
Pascal Robert

http://www.macti.ca
http://www.linkedin.com/in/macti

Skype: MacTICanada
AIM/iChat : MacTICanada

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


http://www.survs.com

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

Follow-Ups:
- Re: XCode 3.1 is out.
  - From: Miguel Arroz <email@hidden>

References:
	>XCode 3.1 is out. (From: Q <email@hidden>)
	>Re: XCode 3.1 is out. (From: Pascal Robert <email@hidden>)
	>Re: XCode 3.1 is out. (From: "Joe Little" <email@hidden>)
	>Re: XCode 3.1 is out. (From: Miguel Arroz <email@hidden>)

Prev by Date: WOLips modeler Attribute prefix???
Next by Date: Re: XCode 3.1 is out.
Previous by thread: Re: XCode 3.1 is out.
Next by thread: Re: XCode 3.1 is out.
Index(es):
- Date
- Thread