cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 12:41:06 GMT
Sylvain Wallez wrote:
> Leszek Gawron wrote:
> 
>> Sylvain Wallez wrote:
>>
>>> This has already been identified by Leszek Gawron. Although this is 
>>> an issue, it can only be exploited by hijacking a continuation ID 
>>> which, if 
>>
>>
>> > done, also means the ability to hijack the session ID and therefore the
>> > associated authorizations.
>> not only ..
>>
>> 1. You login.
>> 2. Do stuff.
>> 3. Logout.
>> 4. Even restart your computer.
>> 5. Go to firefox cache - the page is there (still do not know why if I 
>> set caching headers properly).
>> 5. http://thehost.com/myapp/showReport.do. The page loads from cache. 
>> The page content has a hidden input with valid continuation.
>> 6. submit form.
>> 7. the report is yours!
> 
> 
> 
> You're right, but this works only during the continuation expiration 
> period.
> 
>>> The solution for this is the continuation-per-session manager, where 
>>> a continuation ID only exists within a given session.
>>
>>
>> Would you be so kind and review my solution for this? It is not quite 
>> finished (instrumentation and debug info is not implemented) but I am 
>> very eager to polish it if it could be useful to anyone but me.
> 
> 
> 
> I'm insanely busy until next wednesday and unfortunately will not be 
> able to look at it before. Maybe someone else can do it in the meantime?
> 
> I also like your idea of associating the sitemap ID to the continuation 
> so that a given continuation can only be called in the sitemap that 
> created it. As the flowscript interpreter already holds this ID, that 
> should be pretty much straightforward.
> 
> Sylvain
> 
How can I retrieve that ID? I could implement a test version for Carsten.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message