Re: Possible security problem with flowscript

Fri, 15 Oct 2004 05:04:29 -0700

Carsten Ziegeler wrote: 
Today we came across a possible security problem when you use flow
script. We tested the following example with 2.1.5.1 and the
current 2.1.x branch. Here is a simple example:

We have two areas in our web application, one is available for every
user and one area is only accessible for authenticated users.
We create two sub sitemaps - one for each area. Both are using
flow with different scripts. The second sitemap is protected
by using the authentication framework (how the authentication
is done is actually not important).
In each sitemap we have a matcher for the continuation id:

Sitemap for global area:
 - mounted at /global
 - flowscript global.js
 - matcher for continuation id
   <map:match pattern="continue.*">
       <map:call continuation="{1}"/>
   </map:match>

Sitemap for protected area:
 - mounted at /protected
 - flowscript protected.js
 - matcher for continuation id
   <map:match pattern="*.cont">
       <map:call continuation="{1}"/>
   </map:match>

Now, if someone is able to pick up a valid continuation id for the protected
area, it is possible to continue the flow script in "protected.js" by
calling: "/global/continue.CONT_ID".
Which means there isn't any further check, if the continuation id belongs
to the sitemap or to the used javascripts in that sitemap.
And flow is able to continue the script without any problems.

So it seems that it would be good if we would have some further checks.
I think, it would be good if flow would check if the continuation id
belongs to the sitemap where the map:call is performed. Currently the
ids are global and not on a per sitemap level.
Or we store the continuations in the session. Or?
Ah.. I did not read your mail carefully enough. You would like to bind continuations to the sitemap. My HolderAwareContinuationsManagerImpl stores all continuations in session regardles of it's creation place. If there is some possibility to bind a WebContinuationsHolder to a particular sitemap the change in my continuations manager is a few liner really (just change the way the WebContinuationsHolder is being looked up).

--
Leszek Gawron                                      [EMAIL PROTECTED]
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Reply via email to