Re: [iMS] Re: secutity isue

Ali Jaffrey Thu, 30 Nov 2000 14:43:15 -0800
Exactly. The point here between all of us (Robert,RockettMan, and I) is do
not use url.variables to gurantee security. Use session variables.

If a user tries to view a message that does not belong to #session.user# you
know this is an illegal attemt to view another person's message.

--Ali


----- Original Message -----
From: "Guillermo Dewey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 30, 2000 4:37 PM
Subject: secutity isue


> Hi
>
> just wanted to tell you that anybody that logs into any account can chance
> manually the message ID allowing to read somebody else messages, folders


----- Original Message -----
From: "Robert Forsyth" <[EMAIL PROTECTED]>
To: "inFusion Support List" <[EMAIL PROTECTED]>
Sent: Thursday, November 30, 2000 5:32 PM
Subject: RE: [iMS] Re: secutity isue


I take care of this by comparing the accountnum against
session.accountnum(set at login) when I run the query to get the message.
This keeps people from doing this...If the session expires...they get booted
back to the login page.

Robert Forsyth

----- Original Message -----
From: "Ali Jaffrey" <[EMAIL PROTECTED]>
To: "Guillermo Dewey" <[EMAIL PROTECTED]>
Sent: Thursday, November 30, 2000 5:24 PM
Subject: Re: secutity isue


>
> Hi Dewy,
>
> > just wanted to tell you that anybody that logs into any account can
chance
> > manually the message ID allowing to read somebody else messages
>
> This is a simple security issue. I pass my msgId just like id=816421 for
> example. Try changing the id numbers see what happens.
>
> However, you will never be able to view anyone elses messages .

>
> There is no protection against url variables. I know.
>
> --Ali
>
>
>
>


========================================================================
     This list server is Powered by iMS
   'The Swiss Army Knife of Mail Servers'
   --------------------------------------
To leave this list please complete the form at
http://www.CoolFusion.com/iMS.htm

List archives: http://www.mail-archive.com/infusion-email%40eoscape.com/
========================================================================


========================
     This list server is Powered by iMS
   'The Swiss Army Knife of Mail Servers'
   --------------------------------------
To leave this list please complete the form at
http://www.CoolFusion.com/iMS.htm

List archives: http://www.mail-archive.com/infusion-email%40eoscape.com/
========================




========================================================================
     This list server is Powered by iMS
   'The Swiss Army Knife of Mail Servers'
   --------------------------------------
To leave this list please complete the form at 
http://www.CoolFusion.com/iMS.htm

List archives: http://www.mail-archive.com/infusion-email%40eoscape.com/
========================================================================
Re: [iMS] Re: secutity isue

Reply via email to
