Forwarded, not sure why it'sd needed... Looks like OE-QuoteFix is the culprit...
Jacques
----- Original Message -----
From: "Jacques Le Roux" <[email protected]>
To: <[email protected]>
Sent: Thursday, July 01, 2010 10:35 AM
Subject: Re: Calling service remotely - security concern
Indeed, looks like a real security concern. I did not look on how to retrieve another user's UserLogin though. If this is possible
then it's a real concern!
Jacques
Scott Gray wrote:
I think Muhammed's point is that once a user has authenticated using their own
username/password, it is possible that they could
retrieve another user's UserLogin record and then use it to execute services
without needing to know that user's password.
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 1/07/2010, at 7:58 PM, Jacques Le Roux wrote:
In your example you needed 1st to know the login/pwd couple. So I can't see the
problem here.
Jacques
From: "Muhammed Aamir" <[email protected]>
All service where auth="true" take at least three IN (or INOUT) parameters
by deffault 1) login.username 2) login.password and 3) loginUser.
No. 1 and 2 definitely make sense. However 3 might be a security threat (or
my understanding is wrong). Any user (calling service remotely) can pass
loginUser GV (which he some how got hold of, may be by invoking getRelated
sort of method on some other GV) which might not belong to her.
Sent from my iPhone
On Jul 1, 2010, at 1:42, David E Jones <[email protected]> wrote:
All service where auth="true" take at least three IN (or INOUT) parameters
by deffault 1) login.username 2) login.password and 3) loginUser.
No. 1 and 2 definitely make sense. However 3 might be a security threat (or
my understanding is wrong). Any user (calling service remotely) can pass
loginUser GV (which he some how got hold of, may be by invoking getRelated
sort of method on some other GV) which might not belong to her.
