[pmwiki-users] PageList Project
Patrick R. Michaud
pmichaud at pobox.com
Sun Jan 21 10:24:22 CST 2007
On Sun, Jan 21, 2007 at 12:14:29PM -0000, marc wrote:
> An alternative approach is to email the update details as parameters to
> a URL and embed this in an email. The user then only has to click the
> link to update their details. Something like:
>
> http://www.example.com/Site/ChangeEmailConfirmation?hash=
> 0e8fc8eafd8506101171031c52d6502b&email=fred%40spammaster.com
>
> (Generate the hash by something like:
> $hash = md5($newemail.$hiddenHash);)
>
> This method never times out.
Just to make an assumption explicit: This method also
requires that the value of $hiddenHash be kept hidden from
potential attackers. An attacker that knows the value of
$hiddenHash can easily generate false confirmations.
In particular, if many sites end up using similar values of
$hiddenHash (e.g., obtained through a recipe default setting),
then it will be easy for an attacker to duplicate the method
and exploit it.
Pm
More information about the pmwiki-users
mailing list