portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Weaver, Scott" <Swea...@rippe.com>
Subject psml profile "spoofing", a possible security hole
Date Mon, 24 Jun 2002 20:53:33 GMT

I have noticed in jetspeed(1.3a3) that a user can spoof another user's psml
profile by copying a URL with psml information into the location bar.  This
is also possible when not logged in (as anon).

Scenario:

1. User logs in as User_A.
2. User clicks a tab, then copies the URL: 
<http://localhost:8080/jetspeed/portal/user/user_a/page/default.psml/js_pane
/P-ee8a3d53d3-10048>
4. User then logs out as User_A.
5. Now the User (not logged in at all) copies the above url into the
browser.  User_A's psml
profile is now available to the Anon user.  

Portlets with security are restricted (good), however, all information that
is not specifically secured is available.  IMOHO, there should be no way to
access one user's psml profile from another or by anon.  I have patched the
problem and included it below. 

If this problem has already been addressed or if I'm totally off base,
please let me know.

Thanks,
Scott

Index:
src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
===================================================================
RCS file:
/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/action
s/JetspeedAccessController.java,v
retrieving revision 1.4
diff -u -r1.4 JetspeedAccessController.java
---
src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
14 May 2002 17:35:32 -0000	1.4
+++
src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
24 Jun 2002 20:42:41 -0000
@@ -94,6 +94,22 @@
         }
 
        // get the profile and store it in the RunData
+       
+       // This prevents one user from even seeing another's pane
+       String requestedUser = jdata.getParameters().getString("user","-1");
+       String sessionUser = jdata.getUser().getUserName();
+       // Prevent anon from accessing other panes
+       if(sessionUser == null && !requestedUser.equals(" -1"))
+       {
+       		 jdata.getParameters().remove("user");
+       }
+       // Prevent one person  from accessing another's pane
+       else if(!sessionUser.equalsIgnoreCase(requestedUser))
+       {
+       		jdata.getParameters().remove("user");
+       		jdata.getParameters().add("user",sessionUser);
+       }
+       
         Profile newProfile = Profiler.getProfile(jdata);
         Profile currentProfile = jdata.getProfile();
         

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message