You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Brad Straw <bk...@netscape.net> on 2003/01/15 20:00:44 UTC

Security Hole

Hi,

I have seen one other reference in the mailing list regarding a security hole, but I want to clarify this issue.  The following url is displayed on the address bar:

http://localhost:8080/portal/media-type/html/user/bstraw001/page/default.psml/js_pane/P-f2c3135036-10001

This url design was not present in version 1.3a2.

By substituting the userid with another valid userid, I can see the other user's content.

Any thoughts? Mitigating controls?  Missed configuration?

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security Hole

Posted by Jim Arnott <ja...@bridge.com>.

In the latest CVS version, this is no longer the case. See 
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15968 for more info.

jim arnott
Reuters R&D 

On Wed, 15 Jan 2003, Brad Straw wrote:

> Hi,
> 
> I have seen one other reference in the mailing list regarding a security hole, but I want to clarify this issue.  The following url is displayed on the address bar:
> 
> http://localhost:8080/portal/media-type/html/user/bstraw001/page/default.psml/js_pane/P-f2c3135036-10001
> 
> This url design was not present in version 1.3a2.
> 
> By substituting the userid with another valid userid, I can see the other user's content.
> 
> Any thoughts? Mitigating controls?  Missed configuration?
> 
> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 
> 
> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>