[dancer-users] Dancer 1.3400 released to CPAN - security fix, bugfixes and minor improvements

David Precious davidp at preshweb.co.uk
Sat Jun 16 15:57:00 BST 2018

On Fri, 15 Jun 2018 19:15:39 -0600
Warren Young <warren at etr-usa.com> wrote:

> On Jun 15, 2018, at 4:30 PM, David Precious <davidp at preshweb.co.uk>
> wrote:
> > 
> > - Validate session IDs read from client - GH #1172 - potential
> > security risk if the session provider in use passes the session ID
> > in a way where injection is possible.  
> Is there a list of session providers known to do this?  I don’t
> expect it to be complete, but I suspect that, like me, most people
> will have no way to evaluate whether their session providers are
> vulnerable.

OTTOMH, I believe it was Memcached-powered ones.

There was also a mention of Storable-powered sessions, because loading
Storable data from untrusted sources can be dangerous - but the
Storable data loaded is the session file which was written by the
application, the session ID passed through should not reach Storable,
so I'm not entirely sure there, I'd like to have seen a PoC.


Dave P

More information about the dancer-users mailing list