Re: Possible security problem with flowscript

Fri, 15 Oct 2004 04:45:49 -0700 

Hi Carsten,

I can concur.
I found this out recently to my surprise, when I realised any sitemap continuation handler (using a request parameter) would handle any continuation it received, regardless of where it came from.
It was actually useful to me at the time, but I had not considered the security implications!!

regards Jeremy

On 15 Oct 2004, at 12:39, Carsten Ziegeler wrote:

Today we came across a possible security problem when you use flow
script. We tested the following example with 2.1.5.1 and the
current 2.1.x branch. Here is a simple example:

We have two areas in our web application, one is available for every
user and one area is only accessible for authenticated users.
We create two sub sitemaps - one for each area. Both are using
flow with different scripts. The second sitemap is protected
by using the authentication framework (how the authentication
is done is actually not important).
In each sitemap we have a matcher for the continuation id:

Sitemap for global area:
 - mounted at /global
 - flowscript global.js
 - matcher for continuation id
   <map:match pattern="continue.*">
       <map:call continuation="{1}"/>
   </map:match>

Sitemap for protected area:
 - mounted at /protected
 - flowscript protected.js
 - matcher for continuation id
   <map:match pattern="*.cont">
       <map:call continuation="{1}"/>
   </map:match>

Now, if someone is able to pick up a valid continuation id for the protected
area, it is possible to continue the flow script in "protected.js" by
calling: "/global/continue.CONT_ID".
Which means there isn't any further check, if the continuation id belongs
to the sitemap or to the used javascripts in that sitemap.
And flow is able to continue the script without any problems.

So it seems that it would be good if we would have some further checks.
I think, it would be good if flow would check if the continuation id
belongs to the sitemap where the map:call is performed. Currently the
ids are global and not on a per sitemap level.
Or we store the continuations in the session. Or?


Carsten

Carsten Ziegeler
Open Source Group, S&N AG
http://www.s-und-n.de
http://www.osoco.net/weblogs/rael/


--------------------------------------------------------

                  If email from this address is not signed
                                IT IS NOT FROM ME

                        Always check the label, folks !!!!!
--------------------------------------------------------



Attachment:
smime.p7s

Description: S/MIME cryptographic signature

Reply via email to