Hello, Without looking deep into the details (I still do not have a good overview of the Wt internals) from the first shot I think a method as PostView::saveEdit() in the blog example has a little security gap. I think by injecting a little javascript one could trigger the saveButton::clicked signal which would allow saving (PostVIew::saveEdit) of any existing Post. Maybe this is not true, and hope your blog does not have this sec. gap.
I sent this first to Koen as it might affect the security the blog on webtookit.eu. He asked to post this again on the list. Koen's answer: But I do not believe there is an issue. Deep down the core of Wt there is a check that only 'exposed' signals can be triggered: thus only signals which are exposed in the user interface through e.g. a button. Thus, as long there is not a button (or something else) visible in the user interface which the user could click to trigger saveEdit(), access to that method is blocked. >intruders/hackers probably never use normal way of doing things. So wouldn't >they expect that by pressing an already existing button they would get their job done :) In our case, I did not mean an existing button, but creating that button. There are several firefox plugins that help you injecting html and javascript into a page. Once knowing the html and javascript behind the button, one can probably inject it into an the page and trigger saveEdit for the existing session. In the blog example's logic in my opinion some basic authorization is missing when saving the object. In the current state of the code the message is saved whatsoever user would trigger (through a hack described above). So I think that the trivial solution would be to check if the current sessions user name is authorized to save the current object (object with current ID). etc. -- rgrds, mobi phil being mobile, but including technology http://mobiphil.com ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
