Re: XHR calls and an Auth problem - [security risk?]

Fri, 30 Nov 2007 12:29:20 -0800 

I checked my application, and I found the origin + fix. In the file
routes.php:
        Router::connect('/pages/*', array('controller' => 'pages', 'action'
=> 'display'));
        Router::connect('/sections/', array('controller' => 'sections',
'action' => 'index', 'prefix' => Configure::read('Routing.admin')));

My old file was without the 'prefix' key. That fixed the problem. Any
ideas why?

On Nov 30, 12:59 pm, AD7six <[EMAIL PROTECTED]> wrote:
> On Nov 30, 11:46 am, phpjoy <[EMAIL PROTECTED]> wrote:
>
>
>
> > I'm experiencing a VERY weird auth problem, which is a very big
> > security risk for my application.
>
> > When I try to access a page in the admin section directly, I'm being
> > redirected to the login page.
> > When I try to do the same via an XHR call, the page is loaded!
>
> > Example:
> > When I try to access the URLhttp://localhost/admin/sections/edit/1294
> > I get redirected tohttp://localhost/admin/login
>
> > When the program accesses the same URL, it loads the page.
> > Any ideas why it happens?
>
> > Here's my auth setup:
> >     function auth() {
> >                 $this->controller->Auth->userScope = array( 
> > 'AdminUser.active' =>
> > '1' );
> >         $this->controller->Auth->userModel = 'AdminUser';
> >         $this->controller->Auth->loginAction='/' 
> > .Configure::read('Routing.admin') .'/login/';
>
> >         $this->controller->Auth->loginRedirect='/' 
> > .Configure::read('Routing.admin') .'/';
>
> >         $this->controller->Auth->authorize = false;
> >         $this->controller->Auth->sessionKey = 'AdminUser';
> >     }
>
> > Here are the headers, checked by FireBug:
>
> > Response Headers
> > ==============
> > Date    Fri, 30 Nov 2007 10:30:54 GMT
> > Server  Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e
> > mod_autoindex_color PHP/5.2.3
> > X-Powered-By    PHP/5.2.3
> > P3P     CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
> > Pragma  no-cache
> > Cache-Control   no-store, no-cache, max-age=0, must-revalidate
> > Content-Length  719
> > Keep-Alive      timeout=5, max=97
> > Connection      Keep-Alive
> > Content-Type    text/html
>
> > Request Headers
> > =============
> > Host    localhost
> > User-Agent      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
> > 1.8.1.10) Gecko/20071115 Firefox/2.0.0.10
> > Accept  text/xml,application/xml,application/xhtml+xml,text/
> > html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> > Accept-Language en-us,en;q=0.7,he;q=0.3
> > Accept-Encoding gzip,deflate
> > Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive      300
> > Connection      keep-alive
> > X-Requested-With        XMLHttpRequest
> > Refererhttp://localhost/admin/
> > Cookie  ProgramName=77254f4fb7cf56b71b266668f6708f9a
> > Pragma  no-cache
> > Cache-Control   no-cache
>
> > If I request it through an HTTP data proxy, it doesn't load. Here are
> > the headers:
> > Response Headers
> > ==============
> > Date    Fri, 30 Nov 2007 10:43:57 GMT
> > Server  Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e
> > mod_autoindex_color PHP/5.2.3
> > X-Powered-By    PHP/5.2.3
> > P3P     CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
> > Pragma  no-cache
> > Cache-Control   no-store, no-cache, max-age=0, must-revalidate
> > Location        http://localhost/admin/login/
> > Content-Length  0
> > Keep-Alive      timeout=5, max=95
> > Connection      Keep-Alive
> > Content-Type    text/html
>
> > Request Headers
> > ============
> > Host    localhost
> > User-Agent      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
> > 1.8.1.10) Gecko/20071115 Firefox/2.0.0.10
> > Accept  */*
> > Accept-Language en-us,en;q=0.7,he;q=0.3
> > Accept-Encoding gzip,deflate
> > Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive      300
> > Connection      keep-alive
> > Refererhttp://localhost/admin/
> > Cookie  ProgramName=bc904aec5ff06a2d12bb6f334fde97ab
>
> > How can I make Auth check XHR calls?
>
> I doubt the Auth component cares how it receives a call, it's probably
> an app specific problem (if not provide a sample application which
> demonstrates the problem). Try having a look and investigatively debug
> the auth class, or stick some calls to $this-log($aVar); in your code
> to see if it´s bypassing the Auth class, or calling it and succeeding
> etc.
>
> hth,
>
> AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake 
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to