hi everybody!
i've come across two security issues wrt. admin.changePassword while
digging around:
(1) the password dialog is submitted via GET. this will expose the
password to somebody watching the browser's address bar. the attached
patch changes the method to POST. you can argue that security is
currently not implemented anyway, since we are sending clear-text
around. granted. but: we are using <input type="password"/> fields, so
the goal seems to be: hide the password from people watching the screen.
which implies that the values should be POSTed.
(2) the checkOldPassword flag is set via a request parameter, which can
be easily tampered with by normal users.
if this is meant only as a usability thing, that is not a problem. if
however it is meant to protect logged-in users from having their
passwords changed while they are not looking, this issue becomes important.
my suggestion is to always checkOldPassword if the users do not belong
to the admin group, and to hope that admins know better than to leave
their sessions unattended.
i'm not sure though if i have understood all the side-effects of this,
so i would welcome your comments.
jörn
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
Index: src/webapp/lenya/usecases/admin/changePassword.jx
===================================================================
--- src/webapp/lenya/usecases/admin/changePassword.jx (revision 411441)
+++ src/webapp/lenya/usecases/admin/changePassword.jx (working copy)
@@ -28,7 +28,7 @@
<h1><i18n:text>Change Password</i18n:text></h1>
- <form id="form-change_password">
+ <form id="form-change_password" method="POST">
<input type="hidden" name="lenya.continuation" value="${continuation.id}"/>
<input type="hidden" name="lenya.usecase" value="${request.getParameter('lenya.usecase')}"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
