I suspect the issue may be with newly created psml and panes - they are not assigned any security ref. Depending on your profiler configuration, the original profile may be properly protected with "owner-only" but any newly created panes are not. There's an outstanding enhancement for this: http://issues.apache.org/bugzilla/show_bug.cgi?id=16143.
Best regards, Mark Orciuch - [EMAIL PROTECTED] Jakarta Jetspeed - Enterprise Portal in Java http://jakarta.apache.org/jetspeed/ > -----Original Message----- > From: Brad Straw [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 8:32 PM > To: "Jetspeed Users List" > Subject: Re: Security Hole > > > I downloaded the 1-15 nightly build today, tested this issue, and > I am still seeing this hole. > > All I am doing is > > 1)Creating 2 jetspeed users with the admin account > 2)modifying each of the psml files to be different in content, > 3)Logging in with one user and then substituting the other user > ID in the url. > 4)The other user's content is displayed with out any problem. > > Any thoughts? > > Jim Arnott <[EMAIL PROTECTED]> wrote: > > > > >In the latest CVS version, this is no longer the case. See > >http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15968 for more info. > > > >jim arnott > >Reuters R&D > > > >On Wed, 15 Jan 2003, Brad Straw wrote: > > > >> Hi, > >> > >> I have seen one other reference in the mailing list regarding > a security hole, but I want to clarify this issue. �The following > url is displayed on the address bar: > >> > >> > http://localhost:8080/portal/media-type/html/user/bstraw001/page/d > efault.psml/js_pane/P-f2c3135036-10001 > >> > >> This url design was not present in version 1.3a2. > >> > >> By substituting the userid with another valid userid, I can > see the other user's content. > >> > >> Any thoughts? Mitigating controls? �Missed configuration? > >> > >> __________________________________________________________________ > >> The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp >> >> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ >> >> -- >> To unsubscribe, e-mail: � <mailto:[EMAIL PROTECTED]> >> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> >> >> > > >-- >To unsubscribe, e-mail: � <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
