The Toolkit for Online Communities
17133 Community Members, 0 members online, 1822 visitors today
Log In Register
OpenACS Home : Forums : OpenACS Q&A : RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) : One Message

Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Kjell is right: we need to have a process for communicating important security announcements like this.

I propose a separate security forum, that is only for security updates and warnings. I know nobody likes having separate forums because it can fragment conversations, but the advantage is that nobody should have to follow any of the other forums if they only want security updates. And security updates are pretty manditory.

You don't need to disable all HTML, Kjell, just not allow * for HTML.

Is this something that the OCT is willing to discuss and make some decisions about?

Jade, unfortunately it is not entirely true that disallowing * for HTML will be enough.

If a remote page (called B) contains an img tag that GETs a URL on your site (called A), you GET this page on B, then you'll issue a GET request to your resource on A as well - with your credentials on A.

So HTML parsing WON'T solve this problem.

(However disallowing * will significantly reduce risk)