cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Quinn <>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 11:45:42 GMT
Hi Carsten,

I can concur.
I found this out recently to my surprise, when I realised any sitemap 
continuation handler (using a request parameter) would handle any 
continuation it received, regardless of where it came from.
It was actually useful to me at the time, but I had not considered the 
security implications!!

regards Jeremy

On 15 Oct 2004, at 12:39, Carsten Ziegeler wrote:

> Today we came across a possible security problem when you use flow
> script. We tested the following example with and the
> current 2.1.x branch. Here is a simple example:
> We have two areas in our web application, one is available for every
> user and one area is only accessible for authenticated users.
> We create two sub sitemaps - one for each area. Both are using
> flow with different scripts. The second sitemap is protected
> by using the authentication framework (how the authentication
> is done is actually not important).
> In each sitemap we have a matcher for the continuation id:
> Sitemap for global area:
>  - mounted at /global
>  - flowscript global.js
>  - matcher for continuation id
>    <map:match pattern="continue.*">
>        <map:call continuation="{1}"/>
>    </map:match>
> Sitemap for protected area:
>  - mounted at /protected
>  - flowscript protected.js
>  - matcher for continuation id
>    <map:match pattern="*.cont">
>        <map:call continuation="{1}"/>
>    </map:match>
> Now, if someone is able to pick up a valid continuation id for the 
> protected
> area, it is possible to continue the flow script in "protected.js" by
> calling: "/global/continue.CONT_ID".
> Which means there isn't any further check, if the continuation id 
> belongs
> to the sitemap or to the used javascripts in that sitemap.
> And flow is able to continue the script without any problems.
> So it seems that it would be good if we would have some further checks.
> I think, it would be good if flow would check if the continuation id
> belongs to the sitemap where the map:call is performed. Currently the
> ids are global and not on a per sitemap level.
> Or we store the continuations in the session. Or?
> Carsten
> Carsten Ziegeler
> Open Source Group, S&N AG

                   If email from this address is not signed
                                 IT IS NOT FROM ME

                         Always check the label, folks !!!!!

View raw message