On Friday, October 15, 2004 1:39 PM Carsten Ziegeler wrote
> Today we came across a possible security problem when you use flow
> script. We tested the following example with 2.1.5.1 and the
> current 2.1.x branch. Here is a simple example:
>
> We have two areas in our web application, one is available for every
> user and one area is only accessible for authenticated users.
> We create two sub sitemaps - one for each area. Both are using
> flow with different scripts. The second sitemap is protected
> by using the authentication framework (how the authentication
> is done is actually not important).
> In each sitemap we have a matcher for the continuation id:
>
> Sitemap for global area:
> - mounted at /global
> - flowscript global.js
> - matcher for continuation id
> <map:match pattern="continue.*">
> <map:call continuation="{1}"/>
> </map:match>
>
> Sitemap for protected area:
> - mounted at /protected
> - flowscript protected.js
> - matcher for continuation id
> <map:match pattern="*.cont">
> <map:call continuation="{1}"/>
> </map:match>
>
> Now, if someone is able to pick up a valid continuation id for the
protected
> area, it is possible to continue the flow script in "protected.js" by
> calling: "/global/continue.CONT_ID".
> Which means there isn't any further check, if the continuation id belongs
> to the sitemap or to the used javascripts in that sitemap.
> And flow is able to continue the script without any problems.
We identified this problem already and decided to solve it by having a
different way of making the continuation request. In our case we use the
original request with a request paremater e.g
Original request:
mywebapp/original.html
Continuation request:
mywebapp/original.html?continuation=123456
The sitemap does auhorization based on the request without taken into
consideration a possible continuation parameter and therefore both the
original request and the continuation request are checked in the same way. A
fter the authorization has taken place the continuation is detected by:
<map:match pattern="continuation" type="request-parameter">
<map:call continuation="{1}"/>
</map:match>
Of course adding a request parameter to the original request is a bit
thougher then just replacing the last part by 123456.continue. To solve this
we have a transformer that, apart from many other things, for several
attributes like href, src etc. replaces the string:
continuation:123456
by the original request with a continuation parameter e.g.
/mywebapp/original.html?continuation=123456
So it is something like a continuation pseudo protocol.
Rob Berens
Osirion B.V.
Gagelveld 41
6596 CC Milsbeek
The Netherlands
Tel: +31 (0)485-54 02 03
Fax: +31 (0)485-54 02 04
E-mail: [EMAIL PROTECTED]
