I believe this is indeed what I am seeing. I had been creating users as the admin but have been basically re-defining the content of that user's psml file and I don't believe that I had be re-setting the security-id on the new resources.
Thanks "Mark Orciuch" <[EMAIL PROTECTED]> wrote: >I suspect the issue may be with newly created psml and panes - they are not >assigned any security ref. Depending on your profiler configuration, the >original profile may be properly protected with "owner-only" but any newly >created panes are not. There's an outstanding enhancement for this: >http://issues.apache.org/bugzilla/show_bug.cgi?id=16143. > >Best regards, > >Mark Orciuch - [EMAIL PROTECTED] >Jakarta Jetspeed - Enterprise Portal in Java >http://jakarta.apache.org/jetspeed/ > >> -----Original Message----- >> From: Brad Straw [mailto:[EMAIL PROTECTED]] >> Sent: Wednesday, January 15, 2003 8:32 PM >> To: "Jetspeed Users List" >> Subject: Re: Security Hole >> >> >> I downloaded the 1-15 nightly build today, tested this issue, and >> I am still seeing this hole. >> >> All I am doing is >> >> 1)Creating 2 jetspeed users with the admin account >> 2)modifying each of the psml files to be different in content, >> 3)Logging in with one user and then substituting the other user >> ID in the url. >> 4)The other user's content is displayed with out any problem. >> >> Any thoughts? >> >> Jim Arnott <[EMAIL PROTECTED]> wrote: >> >> > >> >In the latest CVS version, this is no longer the case. See >> >http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15968 for more info. >> > >> >jim arnott >> >Reuters R&D >> > >> >On Wed, 15 Jan 2003, Brad Straw wrote: >> > >> >> Hi, >> >> >> >> I have seen one other reference in the mailing list regarding >> a security hole, but I want to clarify this issue. �The following >> url is displayed on the address bar: >> >> >> >> >> http://localhost:8080/portal/media-type/html/user/bstraw001/page/d >> efault.psml/js_pane/P-f2c3135036-10001 >> >> >> >> This url design was not present in version 1.3a2. >> >> >> >> By substituting the userid with another valid userid, I can >> see the other user's content. >> >> >> >> Any thoughts? Mitigating controls? �Missed configuration? >> >> >> >> __________________________________________________________________ >> >> The NEW Netscape 7.0 browser is now available. Upgrade now! >http://channels.netscape.com/ns/browsers/download.jsp >>> >>> Get your own FREE, personal Netscape Mail account today at >http://webmail.netscape.com/ >>> >>> -- >>> To unsubscribe, e-mail: � ><mailto:[EMAIL PROTECTED]> >>> For additional commands, e-mail: ><mailto:[EMAIL PROTECTED]> >>> >>> >> >> >>-- >>To unsubscribe, e-mail: � ><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: ><mailto:[EMAIL PROTECTED]> >> >> > >__________________________________________________________________ >The NEW Netscape 7.0 browser is now available. Upgrade now! >http://channels.netscape.com/ns/browsers/download.jsp > >Get your own FREE, personal Netscape Mail account today at >http://webmail.netscape.com/ > >-- >To unsubscribe, e-mail: ><mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: ><mailto:[EMAIL PROTECTED]> > > >-- >To unsubscribe, e-mail: � <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
