Closed shakatoday closed 2 years ago
https://github.com/rabbibotton/clog/blob/29fb063ad612d4caff30cef2ac6ba8f69e1355d0/source/clog-connection.lisp#L176-L179
An attacker can first get current generated ID (which are now serial numbers) to know current possible ids range. Then, the attacker could steal others' connections with ws://HOST/clog?r=CONNECTION_ID.
ws://HOST/clog?r=CONNECTION_ID
Will address that this week.
I updated how the ids are generated. Ideally you are also using https when security an issue as well.
https://github.com/rabbibotton/clog/blob/29fb063ad612d4caff30cef2ac6ba8f69e1355d0/source/clog-connection.lisp#L176-L179
An attacker can first get current generated ID (which are now serial numbers) to know current possible ids range. Then, the attacker could steal others' connections with
ws://HOST/clog?r=CONNECTION_ID
.