portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 8830] New: - Hole in Role based PSML/Security
Date Mon, 06 May 2002 17:29:43 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8830>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8830

Hole in Role based PSML/Security

           Summary: Hole in Role based PSML/Security
           Product: Jetspeed
           Version: 1.3a3-dev / CVS
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Security
        AssignedTo: jetspeed-dev@jakarta.apache.org
        ReportedBy: paul.tecca@parexel.com


We are using Role based security and role based PSML and have found that user's 
can access unauthorized roles by specifying the role as a query parameter like 
this:

http://servername/webappname/portal?Role=rolename

Apparently the jetspeed security subsystem is looking for an HTTP post 
parameter named "Role" and if the parameter's value is a valid PSML role, it 
will display that role's portlets to the user.  Even if that user does not have 
permission to that role via TURBINE_USER_GROUP_ROLE.

This is a major security problem for us as we are using role based security and 
role based PSML to partition functional access.

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message