cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Gritsenko <va...@reverycodes.com>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 12:52:26 GMT
Leszek Gawron wrote:
> Sylvain Wallez wrote:
> 
>> Leszek Gawron wrote:
>>
>>> Sylvain Wallez wrote:
>>>
>>>> This has already been identified by Leszek Gawron. Although this is 
>>>> an issue, it can only be exploited by hijacking a continuation ID 
>>>> which, if 
>>>> done, also means the ability to hijack the session ID and therefore 
>>>> the associated authorizations.

Exactly.


>>> 1. You login.
>>> 2. Do stuff.
>>> 3. Logout.

Did you forgot to invalidate continuations? Your fault. (1)


>>> 4. Even restart your computer.
>>> 5. Go to firefox cache - the page is there (still do not know why if 
>>> I set caching headers properly).

Properly configured headers allow to keep stuff out of cache - works for me.
http://www.mozilla.org/projects/netlib/http/http-caching-faq.html


>>> 5. http://thehost.com/myapp/showReport.do. The page loads from cache. 
>>> The page content has a hidden input with valid continuation.

See (1) above.


>>>> The solution for this is the continuation-per-session manager, where 
>>>> a continuation ID only exists within a given session.
>>>
>>>
>>> Would you be so kind and review my solution for this? It is not quite 
>>> finished (instrumentation and debug info is not implemented) but I am 
>>> very eager to polish it if it could be useful to anyone but me.

I left some comments already in the bug report.


>> I also like your idea of associating the sitemap ID to the 
>> continuation so that a given continuation can only be called in the 
>> sitemap that created it. As the flowscript interpreter already holds 
>> this ID, that should be pretty much straightforward.

It won't work - see my example in the other email on this subject.


> How can I retrieve that ID? I could implement a test version for Carsten.

It is in AbstractInterpreter.getInterpreterID()


Vadim

Mime
View raw message