cocoon-view as possible security problem? (fwd)

[Tony Collen <tc...@neuagency.com>]

forwarding this to -users because i am having a little bit of lag and
mistyped the address the first time :P

tony

---------- Forwarded message ----------
Date: Thu, 20 Mar 2003 16:14:31 -0500 (EST)
From: Tony Collen <tc...@neuagency.com>
Reply-To: cocoon-dev@xml.apache.org
To: coocon-users@xml.apache.org
Cc: cocoon-dev@xml.apache.org
Subject: cocoon-view as possible security problem?

Browsing the livesites, on a whim I tried this URL:

http://dir.salon.com/?cocoon-view=content

and it worked!  Obviously someone deploying Cocoon should be aware that
this view is "on" by default, and may reveal data in your page you might
not want.  I have yet to see "bad" data get exposed, but there's always
the possibility.

Do we want the views turned off by default, and have a message in the
sitemap about enabling the views?  Would it make more sense to have
thename of the "cocoon-view" parameter be able to be changed via
configuration?  Say I wanted the parameter to be my-view instead of
cocoon-view.  Security through obscurity?


Tony





---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
For additional commands, e-mail: cocoon-users-help@xml.apache.org

Re: cocoon-view as possible security problem? (fwd)

[Sylvain Wallez <sy...@anyware-tech.com>]

Tony Collen wrote:

>forwarding this to -users because i am having a little bit of lag and
>mistyped the address the first time :P
>  
>

Have a look at my answer on cocoon-dev :
http://marc.theaimsgroup.com/?l=xml-cocoon-dev&m=104823479001495&w=2

Sylvain

>---------- Forwarded message ----------
>Date: Thu, 20 Mar 2003 16:14:31 -0500 (EST)
>From: Tony Collen <tc...@neuagency.com>
>Reply-To: cocoon-dev@xml.apache.org
>To: coocon-users@xml.apache.org
>Cc: cocoon-dev@xml.apache.org
>Subject: cocoon-view as possible security problem?
>
>Browsing the livesites, on a whim I tried this URL:
>
>http://dir.salon.com/?cocoon-view=content
>
>and it worked!  Obviously someone deploying Cocoon should be aware that
>this view is "on" by default, and may reveal data in your page you might
>not want.  I have yet to see "bad" data get exposed, but there's always
>the possibility.
>
>Do we want the views turned off by default, and have a message in the
>sitemap about enabling the views?  Would it make more sense to have
>thename of the "cocoon-view" parameter be able to be changed via
>configuration?  Say I wanted the parameter to be my-view instead of
>cocoon-view.  Security through obscurity?
>
>
>Tony
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
>For additional commands, e-mail: cocoon-users-help@xml.apache.org
>
>  
>


-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }



---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
For additional commands, e-mail: cocoon-users-help@xml.apache.org