WebApp Sec mailing list archives
Maia Mailgaurd http://www.renaissoft.com/maia/
From: Christopher Canova <ccanova () reachone com>
Date: Sat, 16 Jul 2005 15:59:10 -0700
I'm doing my best to assist a group with an open source project that uses amavisd-new and spamassassin called Maia Mailgaurd (http://www.renaissoft.com/maia/). It's a spam and virus management system written in Perl and PHP. We are currently in a discussion about using the PHP Session ID in the URL and whether to strictly enforce cookies to avoid session hijacking. The fear is that we could possibly be passing along the referral information to a spammer willing to exploit such a vuln. Some of the discussion is related closely to this mailing list, so I wanted to see what everyone thought about it.
What are the risks to enforcing session handling using cookies? Will it break functionality for many people? Are the risks of including the SID in the URL worse than cookies?
My interest in the project is the possibilities it has for enterprise deployments for small ISPs and whatnot. I encourage anyone willing to work on a security project (for CISSP credit or whatnot) to get involved in the development of Maia. I think it's a worthwhile endevour for those interested in combating spam. According to http://www.renaissoft.com/maia/download.php, developers interested in contributing code to the project can request a non-anonymous SVN login with commit privileges (see the website).
The */Maia Mailguard/* project files are all available via subversion (SVN), for those who prefer to access the files this way. You can browse the repository at https://secure.renaissoft.com/cgi-bin/trac.cgi/browser/trunk or use a SVN client to connect anonymously (no login required):
$ svn checkout https://secure.renaissoft.com/svn/maia/trunkSee http://www.renaissoft.com/pipermail/maia-devel/ for archives of the Maia-devel mailing list (http://www.renaissoft.com/mailman/listinfo/maia-devel) if interested. I may be using WebGoat once I figure it out to go over the thing and if someone with more experience is willing to give it a shot, I'd love to see the results on the mailing list.
-- Christopher Canova
Current thread:
- Maia Mailgaurd http://www.renaissoft.com/maia/ Christopher Canova (Jul 16)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- RE: Maia Mailgaurd http://www.renaissoft.com/maia/ Guillaume Vissian (Jul 18)
- PHP Session ID's focus (Jul 19)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 20)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 21)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Achim Hoffmann (Jul 18)
- Re: Maia Mailgaurd http://www.renaissoft.com/maia/ Chuck (Jul 18)