You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Amila Chinthaka Suriarachchi (JIRA)" <ji...@apache.org> on 2007/12/20 16:08:44 UTC

[jira] Commented: (RAMPART-127) Possible Security Hole

    [ https://issues.apache.org/jira/browse/RAMPART-127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12553691 ] 

Amila Chinthaka Suriarachchi commented on RAMPART-127:
------------------------------------------------------

hi ruchith,
Think about this scenario as well. 
Lets say we have a service and it has an operation.
service has a security policy to encrypt the body and the operation has security policy to sign the headers. So when we get the effective policy from the service it gives only the encrypt policy and when getting the effective policy from the operation it gives both sign and encrypt.

As in earlier case correct scenario is to send the soap action and headers are expected to sign and body is expected to encrypt. since there is soap action operation has been dispatched when it comes to security phase and every thing works fine.

Let's say some one send message without signing and without soap action. Here we have to note the anyone can encrypt the message since it requires the public key and the possible problem for the intruders is to find the private key to sign. 
So he send the message without signing.
When it comes to security phase, it only has dispatch the service and hence only the encryption policy applied and message is decrypted correctly. Then the message is dispatched with body based dispatching and hence message would proceed to the MR.

ruchith,
Is this scenario is also covered by your fix?

When considering both these scenarios what I can say is that the putting the security phase before the dispatches are any way risky.

Any thoughts?


> Possible Security Hole
> ----------------------
>
>                 Key: RAMPART-127
>                 URL: https://issues.apache.org/jira/browse/RAMPART-127
>             Project: Rampart
>          Issue Type: Bug
>          Components: rampart-core
>    Affects Versions: 1.3
>            Reporter: Amila Chinthaka Suriarachchi
>            Priority: Critical
>
> Lets take this senario.
> There is a service which has an operational policy to sign the soap headers and has engaged security at the operational level. There is a soap action to this operation and in normal case users supposed to send a soap action. so at the service level operation is dispatched using the soap action and signature verification is done.
> Lets say an intruder send a soap message without signing and without a soapaction. then the operation is not dispatched before the security phase and hence security verification is not being done. So the message which does not have any security headers passes through.
> then this will dispatch with soapBodyBased dispatching and finally it hits the MR.
> So this is a security hole.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.