You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by "Weaver, Scott" <Sw...@rippe.com> on 2002/06/24 22:53:33 UTC

psml profile "spoofing", a possible security hole

I have noticed in jetspeed(1.3a3) that a user can spoof another user's psml
profile by copying a URL with psml information into the location bar.  This
is also possible when not logged in (as anon).

Scenario:

1. User logs in as User_A.
2. User clicks a tab, then copies the URL: 
<http://localhost:8080/jetspeed/portal/user/user_a/page/default.psml/js_pane
/P-ee8a3d53d3-10048>
4. User then logs out as User_A.
5. Now the User (not logged in at all) copies the above url into the
browser.  User_A's psml
profile is now available to the Anon user.  

Portlets with security are restricted (good), however, all information that
is not specifically secured is available.  IMOHO, there should be no way to
access one user's psml profile from another or by anon.  I have patched the
problem and included it below. 

If this problem has already been addressed or if I'm totally off base,
please let me know.

Thanks,
Scott

Index:
src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
===================================================================
RCS file:
/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/action
s/JetspeedAccessController.java,v
retrieving revision 1.4
diff -u -r1.4 JetspeedAccessController.java
---
src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
14 May 2002 17:35:32 -0000	1.4
+++
src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
24 Jun 2002 20:42:41 -0000
@@ -94,6 +94,22 @@
         }
 
        // get the profile and store it in the RunData
+       
+       // This prevents one user from even seeing another's pane
+       String requestedUser = jdata.getParameters().getString("user","-1");
+       String sessionUser = jdata.getUser().getUserName();
+       // Prevent anon from accessing other panes
+       if(sessionUser == null && !requestedUser.equals(" -1"))
+       {
+       		 jdata.getParameters().remove("user");
+       }
+       // Prevent one person  from accessing another's pane
+       else if(!sessionUser.equalsIgnoreCase(requestedUser))
+       {
+       		jdata.getParameters().remove("user");
+       		jdata.getParameters().add("user",sessionUser);
+       }
+       
         Profile newProfile = Profiler.getProfile(jdata);
         Profile currentProfile = jdata.getProfile();

Re: psml profile "spoofing", a possible security hole

Posted by Santiago Gala <sg...@hisitech.com>.

Weaver, Scott wrote:

>I have noticed in jetspeed(1.3a3) that a user can spoof another user's psml
>profile by copying a URL with psml information into the location bar.  This
>is also possible when not logged in (as anon).
>  
>
As Glenn said, this is due to the fact that security for 
portletsets/psml is not in place. There should not be hardwired 
restriction here, but a proper security implementation. The version in 
tag Security_14 does not dehave like this, and the current cvs version 
will not behave like this in the following days.

>Scenario:
>
>1. User logs in as User_A.
>2. User clicks a tab, then copies the URL: 
><http://localhost:8080/jetspeed/portal/user/user_a/page/default.psml/js_pane
>/P-ee8a3d53d3-10048>
>4. User then logs out as User_A.
>5. Now the User (not logged in at all) copies the above url into the
>browser.  User_A's psml
>profile is now available to the Anon user.  
>
>Portlets with security are restricted (good), however, all information that
>is not specifically secured is available.  IMOHO, there should be no way to
>access one user's psml profile from another or by anon.  I have patched the
>problem and included it below. 
>
>If this problem has already been addressed or if I'm totally off base,
>please let me know.
>
>Thanks,
>Scott
>
>Index:
>src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
>===================================================================
>RCS file:
>/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/action
>s/JetspeedAccessController.java,v
>retrieving revision 1.4
>diff -u -r1.4 JetspeedAccessController.java
>---
>src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
>14 May 2002 17:35:32 -0000	1.4
>+++
>src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java
>24 Jun 2002 20:42:41 -0000
>@@ -94,6 +94,22 @@
>         }
> 
>        // get the profile and store it in the RunData
>+       
>+       // This prevents one user from even seeing another's pane
>+       String requestedUser = jdata.getParameters().getString("user","-1");
>+       String sessionUser = jdata.getUser().getUserName();
>+       // Prevent anon from accessing other panes
>+       if(sessionUser == null && !requestedUser.equals(" -1"))
>+       {
>+       		 jdata.getParameters().remove("user");
>+       }
>+       // Prevent one person  from accessing another's pane
>+       else if(!sessionUser.equalsIgnoreCase(requestedUser))
>+       {
>+       		jdata.getParameters().remove("user");
>+       		jdata.getParameters().add("user",sessionUser);
>+       }
>+       
>         Profile newProfile = Profiler.getProfile(jdata);
>         Profile currentProfile = jdata.getProfile();
>         
>
>  
>




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>