25 Sep 2002 ErikLevy   » (Journeyer)

I noticed mascot's comment about tttt now 'forging' other people's accounts. It is pretty clear that Advogato is not meant to be the most securely designed site on the Web, but instead a test of a concept of raph's.

The real question is, is this particular 'hole' easily fixed in an environment that is not meant to be secure? Looking (very briefly) it seems a bit of adjustment might be all that is needed, but it really matters how the Advogato system handles cookie information, and login information during the /acct/certify.html page generation.

And of course, a brute force attack could always be one way to get into an account. However, a brute force attack can be countered various ways, so that would be of only limited access potential.

All in all, most people probably don't feel like there is so much here that needs protecting but it is strange when you lose your innocence how what seems not important suddenly becomes so.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!