Hey Mobi, 2010/2/8 mobi phil <[email protected]>: > Hello, > > Without looking deep into the details (I still do not have a good > overview of the Wt internals) from the first shot I think a method as > PostView::saveEdit() in the blog example has a little security gap. I > think by injecting a little javascript one could trigger the > saveButton::clicked signal which would allow saving > (PostVIew::saveEdit) of any existing Post. Maybe this is not true, and > hope your blog does not have this sec. gap. > > I sent this first to Koen as it might affect the security the blog on > webtookit.eu. > > He asked to post this again on the list. > > Koen's answer: > > But I do not believe there is an issue. Deep down the core of Wt there > is a check that only 'exposed' signals can be triggered: thus only > signals which are exposed in the user interface through e.g. a button. > Thus, as long there is not a button (or something else) visible in the > user interface which the user could click to trigger saveEdit(), > access to that method is blocked. > >>intruders/hackers probably never use normal way of doing things. So wouldn't >>they expect that > by pressing an already existing button they would get their job done :) > In our case, I did not mean an existing button, but creating that button. > There are several firefox plugins that help you injecting html and > javascript into a page. > Once knowing the html and javascript behind the button, one can > probably inject it into an > the page and trigger saveEdit for the existing session. > > In the blog example's logic in my opinion some basic authorization is > missing when saving the object. > In the current state of the code the message is saved whatsoever user > would trigger (through a hack > described above). So I think that the trivial solution would be to > check if the current sessions user name > is authorized to save the current object (object with current ID). etc.
The check is done at the server side. So even if the user creates new buttons or does whatever, the security measures are taken server-side and only those buttons instantiated by the server (or more specifically, signals that get exposed), can trigger Wt code. Nevertheless, we take security seriously, and if you are really convinced that there is a security problem and think of a way of triggering it, you can easily convince us by demonstrating it ? Regards, koen ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
