Comments on: About logical security flaws http://antisnatchor.com/2009/07/19/about-logical-security-flaws/ Keeping You Informed on the latest and coolest AntiSnatchOr security researches... Tue, 27 Jul 2010 02:01:34 +0100 http://wordpress.org/?v=2.8.5 hourly 1 By: teapartylatest http://antisnatchor.com/2009/07/19/about-logical-security-flaws/comment-page-1/#comment-34 teapartylatest Mon, 12 Apr 2010 02:20:58 +0000 http://antisnatchor.com/?p=70#comment-34 appreciated this post! appreciated this post!

]]> By: antisnatchor http://antisnatchor.com/2009/07/19/about-logical-security-flaws/comment-page-1/#comment-21 antisnatchor Mon, 20 Jul 2009 17:11:41 +0000 http://antisnatchor.com/?p=70#comment-21 That's right. I'm glad you like my point of view. I will look deeper on it in these days. That’s right.
I’m glad you like my point of view.
I will look deeper on it in these days.

]]> By: Si Chen http://antisnatchor.com/2009/07/19/about-logical-security-flaws/comment-page-1/#comment-20 Si Chen Mon, 20 Jul 2009 17:04:01 +0000 http://antisnatchor.com/?p=70#comment-20 I think you bring up some good points, in addition to what we've discussed already. We should probably always require that the user enter the old password before changing it, even if the user is the owner of the password. We should probably also require that the admin user always enter his own password before being able to change somebody else's password. These kind of logical flaws can be exploited by more ways than just XSRF. For example, somebody could just walk over to the admin user's terminal while he is out for a coffee break and start changing passwords, if we don't require the admin password to be checked first. I think you bring up some good points, in addition to what we’ve discussed already. We should probably always require that the user enter the old password before changing it, even if the user is the owner of the password. We should probably also require that the admin user always enter his own password before being able to change somebody else’s password.

These kind of logical flaws can be exploited by more ways than just XSRF. For example, somebody could just walk over to the admin user’s terminal while he is out for a coffee break and start changing passwords, if we don’t require the admin password to be checked first.

]]> By: About logical security flaws « crm like soft http://antisnatchor.com/2009/07/19/about-logical-security-flaws/comment-page-1/#comment-19 About logical security flaws « crm like soft Sun, 19 Jul 2009 12:33:06 +0000 http://antisnatchor.com/?p=70#comment-19 [...] here to see the original:  About logical security flaws 19 Jul 09 | [...] [...] here to see the original:  About logical security flaws 19 Jul 09 | [...]

]]>