portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Golden <ggol...@umich.edu>
Subject RE: psml profile "spoofing", a possible security hole
Date Tue, 25 Jun 2002 04:16:55 GMT
Please do NOT commit this change.  I, for one, have cases where one user
would want to see another user's page.  To restrict this is the role of the
security service, and perhaps could be an optional feature there (or just be
handled using normal security restrictions, if desired).

In my app, we have user pages, and group pages, and we need to allow sets of
users to see each group page, and block other users from seeing group pages.
The exact same is true for the user pages - our users can allow others to
join them on their pages, and block others from seeing their pages.  The
security service definitions will be used to allow all this.

Thanks.

- Glenn

--------------------------------------------
Glenn R. Golden, Systems Research Programmer 
University of Michigan School of Information
ggolden@umich.edu               734-615-1419
--------------------------------------------


> -----Original Message-----
> From: Weaver, Scott [mailto:Sweaver@rippe.com] 
> Sent: Monday, June 24, 2002 4:54 PM
> To: 'jetspeed-dev@jakarta.apache.org'
> Subject: psml profile "spoofing", a possible security hole
> 
> 
> 
> I have noticed in jetspeed(1.3a3) that a user can spoof 
> another user's psml profile by copying a URL with psml 
> information into the location bar.  This is also possible 
> when not logged in (as anon).
> 
> Scenario:
> 
> 1. User logs in as User_A.
> 2. User clicks a tab, then copies the URL: 
> <http://localhost:8080/jetspeed/portal/user/user_a/page/defaul
> t.psml/js_pane
> /P-ee8a3d53d3-10048>
> 4. User then logs out as User_A.
> 5. Now the User (not logged in at all) copies the above url 
> into the browser.  User_A's psml profile is now available to 
> the Anon user.  
> 
> Portlets with security are restricted (good), however, all 
> information that is not specifically secured is available.  
> IMOHO, there should be no way to access one user's psml 
> profile from another or by anon.  I have patched the problem 
> and included it below. 
> 
> If this problem has already been addressed or if I'm totally 
> off base, please let me know.
> 
> Thanks,
> Scott
> 
> Index: 
> src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCon
> troller.java
> ===================================================================
> RCS file: 
> /home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/
> modules/action
> s/JetspeedAccessController.java,v
> retrieving revision 1.4
> diff -u -r1.4 JetspeedAccessController.java
> --- 
> src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCon
> troller.java
> 14 May 2002 17:35:32 -0000	1.4
> +++
> src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCon
> troller.java
> 24 Jun 2002 20:42:41 -0000
> @@ -94,6 +94,22 @@
>          }
>  
>         // get the profile and store it in the RunData
> +       
> +       // This prevents one user from even seeing another's pane
> +       String requestedUser = 
> jdata.getParameters().getString("user","-1");
> +       String sessionUser = jdata.getUser().getUserName();
> +       // Prevent anon from accessing other panes
> +       if(sessionUser == null && !requestedUser.equals(" -1"))
> +       {
> +       		 jdata.getParameters().remove("user");
> +       }
> +       // Prevent one person  from accessing another's pane
> +       else if(!sessionUser.equalsIgnoreCase(requestedUser))
> +       {
> +       		jdata.getParameters().remove("user");
> +       		jdata.getParameters().add("user",sessionUser);
> +       }
> +       
>          Profile newProfile = Profiler.getProfile(jdata);
>          Profile currentProfile = jdata.getProfile();
>          
> 

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message