Zen of website maintenance

A certain website had a few vuneribilities including XSS and leaking passwords.  The fixes were:

  • The <script> tag was turned on for pending users.  Configure off.  All other users get their tags filtered against a safe list
  • The superuser always skips the filter and sees all tags.  I can’t fix this, but I’ve changed the cookie so that its not useful to a cookie catcher
  • The ‘password’ in the cookie was just a hash of the password.  It is now a hash of the password, the IP address of the client, and a secret.  A leaked password should only be usable from the same IP
  • The ‘password’ field has been removed from all forms and replaced with cookie based authentication
Avatar
Michael Hope
Software Engineer