cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Berens" <>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 13:41:51 GMT
On Friday, October 15, 2004 1:39 PM Carsten Ziegeler wrote
> Today we came across a possible security problem when you use flow
> script. We tested the following example with and the
> current 2.1.x branch. Here is a simple example:
> We have two areas in our web application, one is available for every
> user and one area is only accessible for authenticated users.
> We create two sub sitemaps - one for each area. Both are using
> flow with different scripts. The second sitemap is protected
> by using the authentication framework (how the authentication
> is done is actually not important).
> In each sitemap we have a matcher for the continuation id:
> Sitemap for global area:
>  - mounted at /global
>  - flowscript global.js
>  - matcher for continuation id
>    <map:match pattern="continue.*">
>        <map:call continuation="{1}"/>
>    </map:match>
> Sitemap for protected area:
>  - mounted at /protected
>  - flowscript protected.js
>  - matcher for continuation id
>    <map:match pattern="*.cont">
>        <map:call continuation="{1}"/>
>    </map:match>
> Now, if someone is able to pick up a valid continuation id for the
> area, it is possible to continue the flow script in "protected.js" by
> calling: "/global/continue.CONT_ID".
> Which means there isn't any further check, if the continuation id belongs
> to the sitemap or to the used javascripts in that sitemap.
> And flow is able to continue the script without any problems.

We identified this problem already and decided to solve it by having a
different way of making the continuation request. In our case we use the
original request with a request paremater e.g

Original request:

Continuation request:

The sitemap does auhorization based on the request without taken into
consideration a possible continuation parameter and therefore both the
original request and the continuation request are checked in the same way. A
fter the authorization has taken place the continuation is detected by:

<map:match pattern="continuation" type="request-parameter">
  <map:call continuation="{1}"/>

Of course adding a request parameter to the original request is a bit
thougher then just replacing the last part by 123456.continue. To solve this
we have a transformer that, apart from many other things, for several
attributes like href, src etc. replaces the string:

by the original request with a continuation parameter e.g.

So it is something like a continuation pseudo protocol.

Rob Berens
Osirion B.V.
Gagelveld 41
6596 CC  Milsbeek
The Netherlands
Tel: +31 (0)485-54 02 03
Fax: +31 (0)485-54 02 04

View raw message