I'm doing my best to assist a group with an open source project that
uses amavisd-new and spamassassin called Maia Mailgaurd
(http://www.renaissoft.com/maia/). It's a spam and virus management
system written in Perl and PHP. We are currently in a discussion about
using the PHP Session ID in the URL and whether to strictly enforce
cookies to avoid session hijacking. The fear is that we could possibly
be passing along the referral information to a spammer willing to
exploit such a vuln. Some of the discussion is related closely to this
mailing list, so I wanted to see what everyone thought about it.
What are the risks to enforcing session handling using cookies? Will it
break functionality for many people? Are the risks of including the SID
in the URL worse than cookies?
My interest in the project is the possibilities it has for enterprise
deployments for small ISPs and whatnot. I encourage anyone willing to
work on a security project (for CISSP credit or whatnot) to get involved
in the development of Maia. I think it's a worthwhile endevour for those
interested in combating spam. According to
http://www.renaissoft.com/maia/download.php, developers interested in
contributing code to the project can request a non-anonymous SVN login
with commit privileges (see the website).
The */Maia Mailguard/* project files are all available via subversion
(SVN), for those who prefer to access the files this way. You can browse
the repository at
https://secure.renaissoft.com/cgi-bin/trac.cgi/browser/trunk or use a
SVN client to connect anonymously (no login required):
$ svn checkout https://secure.renaissoft.com/svn/maia/trunk
See http://www.renaissoft.com/pipermail/maia-devel/ for archives of the
Maia-devel mailing list
(http://www.renaissoft.com/mailman/listinfo/maia-devel) if interested. I
may be using WebGoat once I figure it out to go over the thing and if
someone with more experience is willing to give it a shot, I'd love to
see the results on the mailing list.
--
Christopher Canova
