[ZendTo] XSS
Kevin Miller
kevin.miller at juneau.org
Wed Mar 2 23:37:07 GMT 2016
>P.S. Sorry I haven't done an update in *ages*. 2 questions:
> (1) What other outstanding bugs/patches are there?, and
>(2) Is it worth me re-writing the areyouahuman CAPTCHA
> code for their new one, or is everyone happy with the Google
> one (reCAPTCHA) that is there already?
Not sure about bug patches in zendto, but of late there are some significant issues regarding web server security, if you'll indulge a bit of slightly off-topic traffic.
A new attack makes all servers running SSLv2 vulnerable.
Info on the latest attack can be had here:
https://drownattack.com/
http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
Note that the attack works even if SSLv2 is "soft disabled" by disabling all SSLv2 ciphers.
To check for other vulnerabilities, run the tests at :
https://www.ssllabs.com/ssltest/index.html
For fixes, see:
http://blog.rlove.org/2013/12/strong-ssl-crypto.html
Regarding AreYouAHuman, I just rolled back to reCaptcha. Options are nice, but the reCaptcha isn't nearly as odious as it was in the past.
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
More information about the ZendTo
mailing list