portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: psml profile "spoofing", a possible security hole
Date Tue, 25 Jun 2002 08:42:55 GMT
Weaver, Scott wrote:

>I have noticed in jetspeed(1.3a3) that a user can spoof another user's psml
>profile by copying a URL with psml information into the location bar.  This
>is also possible when not logged in (as anon).
>  
>
As Glenn said, this is due to the fact that security for 
portletsets/psml is not in place. There should not be hardwired 
restriction here, but a proper security implementation. The version in 
tag Security_14 does not dehave like this, and the current cvs version 
will not behave like this in the following days.

>Scenario:
>
>1. User logs in as User_A.
>2. User clicks a tab, then copies the URL: 
><http://localhost:8080/jetspeed/portal/user/user_a/page/default.psml/js_pane
>/P-ee8a3d53d3-10048>
>4. User then logs out as User_A.
>5. Now the User (not logged in at all) copies the above url into the
>browser.  User_A's psml
>profile is now available to the Anon user.  
>
>Portlets with security are restricted (good), however, all information that
>is not specifically secured is available.  IMOHO, there should be no way to
>access one user's psml profile from another or by anon.  I have patched the
>problem and included it below. 
>
>If this problem has already been addressed or if I'm totally off base,
>please let me know.
>
>Thanks,
>Scott
>
>Index:
>src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
>===================================================================
>RCS file:
>/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/action
>s/JetspeedAccessController.java,v
>retrieving revision 1.4
>diff -u -r1.4 JetspeedAccessController.java
>---
>src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
>14 May 2002 17:35:32 -0000	1.4
>+++
>src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
>24 Jun 2002 20:42:41 -0000
>@@ -94,6 +94,22 @@
>         }
> 
>        // get the profile and store it in the RunData
>+       
>+       // This prevents one user from even seeing another's pane
>+       String requestedUser = jdata.getParameters().getString("user","-1");
>+       String sessionUser = jdata.getUser().getUserName();
>+       // Prevent anon from accessing other panes
>+       if(sessionUser == null && !requestedUser.equals(" -1"))
>+       {
>+       		 jdata.getParameters().remove("user");
>+       }
>+       // Prevent one person  from accessing another's pane
>+       else if(!sessionUser.equalsIgnoreCase(requestedUser))
>+       {
>+       		jdata.getParameters().remove("user");
>+       		jdata.getParameters().add("user",sessionUser);
>+       }
>+       
>         Profile newProfile = Profiler.getProfile(jdata);
>         Profile currentProfile = jdata.getProfile();
>         
>
>  
>




--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message