[pmwiki-users] PageList Project

Patrick R. Michaud pmichaud at pobox.com
Sun Jan 21 10:24:22 CST 2007


On Sun, Jan 21, 2007 at 12:14:29PM -0000, marc wrote:
> An alternative approach is to email the update details as parameters to 
> a URL and embed this in an email. The user then only has to click the 
> link to update their details. Something like:
> 
> http://www.example.com/Site/ChangeEmailConfirmation?hash=
> 0e8fc8eafd8506101171031c52d6502b&email=fred%40spammaster.com
> 
> (Generate the hash by something like:
>    $hash = md5($newemail.$hiddenHash);)
> 
> This method never times out.

Just to make an assumption explicit:  This method also
requires that the value of $hiddenHash be kept hidden from
potential attackers.  An attacker that knows the value of
$hiddenHash can easily generate false confirmations.

In particular, if many sites end up using similar values of
$hiddenHash (e.g., obtained through a recipe default setting), 
then it will be easy for an attacker to duplicate the method
and exploit it.

Pm




More information about the pmwiki-users mailing list