Hi Fabio, * Fabio Tranchitella <[EMAIL PROTECTED]> [2008-04-05 19:27]: > * 2008-04-05 14:01, Florian Weimer wrote: > > * Nico Golde: > > > > > While I agree that the cookie issues and the session id > > > issue is not of an high impact I still think that at least > > > the CSRF issue should be fixed cause the exploit scenario > > > has a certain real life importance. > > > > The __ac cookie issue is significant as well if the secure flag is not > > set on the cookie even if login happens over HTTPS. > > I can't say anything else than "I fully agree", but on a public IRC channel > (irc.freenode.net#plone) I only got useless answers from some core Plone > developers telling me that these problems are kindergarten.
I know why I'm not using that cruft ;D > I know that Wichert is working on some of these issues, and this branch > will be released as Plone 3.1, but I couldn't find the exact list of issues > addressed. Well I don't see a real problem with that, I think they should have a certain interest in having their release in lenny. I'm no webapps guy but maybe someone else will have the time to look into that in more detail... Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpZq63i2Atxd.pgp
Description: PGP signature
