cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 12:36:58 GMT
Leszek Gawron wrote:

> Sylvain Wallez wrote:
>
>> This has already been identified by Leszek Gawron. Although this is 
>> an issue, it can only be exploited by hijacking a continuation ID 
>> which, if 
>
> > done, also means the ability to hijack the session ID and therefore the
> > associated authorizations.
> not only ..
>
> 1. You login.
> 2. Do stuff.
> 3. Logout.
> 4. Even restart your computer.
> 5. Go to firefox cache - the page is there (still do not know why if I 
> set caching headers properly).
> 5. http://thehost.com/myapp/showReport.do. The page loads from cache. 
> The page content has a hidden input with valid continuation.
> 6. submit form.
> 7. the report is yours!


You're right, but this works only during the continuation expiration period.

>> The solution for this is the continuation-per-session manager, where 
>> a continuation ID only exists within a given session.
>
> Would you be so kind and review my solution for this? It is not quite 
> finished (instrumentation and debug info is not implemented) but I am 
> very eager to polish it if it could be useful to anyone but me.


I'm insanely busy until next wednesday and unfortunately will not be 
able to look at it before. Maybe someone else can do it in the meantime?

I also like your idea of associating the sitemap ID to the continuation 
so that a given continuation can only be called in the sitemap that 
created it. As the flowscript interpreter already holds this ID, that 
should be pretty much straightforward.

Sylvain

-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }


Mime
View raw message