#45: Don't use gensym for actions to avoid XSS attacks -----------------------+---------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: critical | Milestone: Component: weblocks | Version: Keywords: security | -----------------------+---------------------------------------------------- gensym-based action urls can be guessed and thus the following attack is possible: A user has his weblock-based bank system open. In gmail, the user gets a link to a web-page that will generate lots of guessed action urls that transfers funds out of the users bank account. Ways to fix: 1. Require session id in URLs[[BR]] 2. Or, generate stronger non-gensym based action ids -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks