[jira] [Created] (OFBIZ-10206) Security issue in Token Based Authentication

Tue, 06 Feb 2018 04:41:44 -0800 

Jacques Le Roux created OFBIZ-10206:
---------------------------------------

             Summary: Security issue in Token Based Authentication
                 Key: OFBIZ-10206
                 URL: https://issues.apache.org/jira/browse/OFBIZ-10206
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: 17.12.01
            Reporter: Jacques Le Roux
            Assignee: Jacques Le Roux


The version I commited so far in OFBIZ-9833 has a small security issue.

I added the JWT (JSON Web Token 
[https://fr.wikipedia.org/wiki/JSON_Web_Token]), which guarantees an exchange 
between 2 servers. But the way I used it did not prevent from changing the 
parameter externalServerLoginKey in the URL. Note that this is only possible 
from the server where the JWT was sent from. This is still a risk (minor) if an 
unauthorized and malicious person managed to gain access to the backend of the 
source server.

The flaw is that I was using a query parameter in the ContextFilter. doFilter 
() wrapper where the JWT is created.

I just replaced it with an autoLoginCookie reading on the source server. I 
would have preferred to use the session, but when creating the JWT, the session 
contains neither userLogin nor userLoginId. I also need the source server 
webapp to read the autoLoginCookie. The webapp must therefore be passed as a 
new parameter in the query. On the target server I use a userLoginId reading 
from the JWT and no longer from the request, that was the goal I missed!

I have secured all cookies with OFBIZ-6655, so an autoLoginCookie can only be 
created or updated when creating the session on the source server. However, 
autoLoginCookies have a lifetime of one year and are not deleted during a 
logout. So an autoLoginCookie of another webapp (webapp passed in parameter 
thus modifiable in the URL) could in theory be used to force another loginUser 
contained in the autoLoginCookie of this other webapp.

I think that this lifespan may make sense for frontends (ecommerce, ecomseo, 
webpos), which have their own logout and where I suppose this feature (from 
ecommerce in fact) comes to keep a customer's memory. For the backend I don't 
see the interest also I propose to delete autoLoginCookies to the logout on 
backend. For that I'll reopen and use OFBIZ-4959 that I closed as incomplete.

I will commit an improved version in the trunk that I have tested locally with 
2 different webapps but still have to test on 2 servers. I'm going to do it 
using the trunk demo from my machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to