You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lenya.apache.org by Joern Nettingsmeier <ne...@folkwang-hochschule.de> on 2006/06/05 00:12:41 UTC

two minor security issues with admin.changePassword

hi everybody!


i've come across two security issues wrt. admin.changePassword while
digging around:

(1) the password dialog is submitted via GET. this will expose the
password to somebody watching the browser's address bar. the attached
patch changes the method to POST. you can argue that security is
currently not implemented anyway, since we are sending clear-text
around. granted. but: we are using <input type="password"/> fields, so
the goal seems to be: hide the password from people watching the screen.
which implies that the values should be POSTed.

(2) the checkOldPassword flag is set via a request parameter, which can
be easily tampered with by normal users.
if this is meant only as a usability thing, that is not a problem. if
however it is meant to protect logged-in users from having their
passwords changed while they are not looking, this issue becomes important.
my suggestion is to always checkOldPassword if the users do not belong
to the admin group, and to hope that admins know better than to leave
their sessions unattended.
i'm not sure though if i have understood all the side-effects of this,
so i would welcome your comments.

jörn





-- 
jörn nettingsmeier

home://germany/45128 essen/lortzingstr. 11/
http://spunk.dnsalias.org
phone://+49/201/491621

if you are a free (as in "free speech") software developer
and you happen to be travelling near my home, drop me a line
and come round for a free (as in "free beer") beer. :-D

Re: two minor security issues with admin.changePassword

Posted by Bob Harner <bo...@gmail.com>.

On 6/6/06, Jörn Nettingsmeier <po...@uni-duisburg.de> wrote:
> Bob Harner wrote:
> > On 6/6/06, Jörn Nettingsmeier <po...@uni-duisburg.de> wrote:
> >> Bob Harner wrote:
> >> > See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
> >> > contains a fix for (I think) the same kind of problem that existed on
> >> > the login page.
> >>
> >> ah, cool. out of curiosity: why did you do this:
> >>
> >> <form method="post" action="?lenya.usecase=login&amp;lenya.step=login">
> >>
> >> i.e. propagate some parameters via GET? i thought all of cocoon's
> >> getParameter() magic was transparent wrt the method?
> >
> > It has to be mixed like this because the usecase matching in the
> > pipeline only looks at GET parameters.
> >
> > Details: http://article.gmane.org/gmane.comp.cms.lenya.user/9287
>
> YUCK! how disgusting.
> are you sure this is still the case with cocoon 2.1.9-dev? in the code i
> see this:

I don't know whether 2.1.9-dev still exhibits this behavior.  I know 2.1.8 does.

>
> public class WildcardRequestParameterMatcher
>              extends AbstractWildcardMatcher
> {
>      private String defaultParam;
>
> <..>
>      protected String getMatchString(
>             Map objectModel, Parameters parameters
>      ) {
>
> <..>
>          String result = ObjectModelHelper.getRequest(
>                     objectModel).getParameter(paramName);
>          if (result == null) {
>              getLogger().debug("Parameter '" + paramName + "' not set.");
>          }
>
>          return result;
>      }
> }
>
> i'm pretty sure that getParameter() works on both, but i can't test
> right now. can anyone comment on this?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: two minor security issues with admin.changePassword

Posted by Jörn Nettingsmeier <po...@uni-duisburg.de>.

Bob Harner wrote:
> On 6/6/06, Jörn Nettingsmeier <po...@uni-duisburg.de> wrote:
>> Bob Harner wrote:
>> > See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
>> > contains a fix for (I think) the same kind of problem that existed on
>> > the login page.
>>
>> ah, cool. out of curiosity: why did you do this:
>>
>> <form method="post" action="?lenya.usecase=login&amp;lenya.step=login">
>>
>> i.e. propagate some parameters via GET? i thought all of cocoon's
>> getParameter() magic was transparent wrt the method?
> 
> It has to be mixed like this because the usecase matching in the
> pipeline only looks at GET parameters.
> 
> Details: http://article.gmane.org/gmane.comp.cms.lenya.user/9287

YUCK! how disgusting.
are you sure this is still the case with cocoon 2.1.9-dev? in the code i 
see this:

public class WildcardRequestParameterMatcher
             extends AbstractWildcardMatcher
{
     private String defaultParam;

<..>
     protected String getMatchString(
            Map objectModel, Parameters parameters
     ) {

<..>
         String result = ObjectModelHelper.getRequest(
                    objectModel).getParameter(paramName);
         if (result == null) {
             getLogger().debug("Parameter '" + paramName + "' not set.");
         }

         return result;
     }
}

i'm pretty sure that getParameter() works on both, but i can't test 
right now. can anyone comment on this?



-- 
"Open source takes the bullshit out of software."
	- Charles Ferguson on TechnologyReview.com

--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: pol-admin@uni-due.de, Telefon: 0203/379-2736

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: two minor security issues with admin.changePassword

Posted by Bob Harner <bo...@gmail.com>.

On 6/6/06, Jörn Nettingsmeier <po...@uni-duisburg.de> wrote:
> Bob Harner wrote:
> > On 6/4/06, Joern Nettingsmeier <ne...@folkwang-hochschule.de> wrote:
> >> hi everybody!
> >>
> >>
> >> i've come across two security issues wrt. admin.changePassword while
> >> digging around:
> >>
> >> (1) the password dialog is submitted via GET. this will expose the
> >> password to somebody watching the browser's address bar. the attached
> >> patch changes the method to POST. you can argue that security is
> >> currently not implemented anyway, since we are sending clear-text
> >> around. granted. but: we are using <input type="password"/> fields, so
> >> the goal seems to be: hide the password from people watching the screen.
> >> which implies that the values should be POSTed.
> >
> > See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
> > contains a fix for (I think) the same kind of problem that existed on
> > the login page.
>
> ah, cool. out of curiosity: why did you do this:
>
> <form method="post" action="?lenya.usecase=login&amp;lenya.step=login">
>
> i.e. propagate some parameters via GET? i thought all of cocoon's
> getParameter() magic was transparent wrt the method?

It has to be mixed like this because the usecase matching in the
pipeline only looks at GET parameters.

Details: http://article.gmane.org/gmane.comp.cms.lenya.user/9287

>
> regards,
>
> jörn

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: two minor security issues with admin.changePassword

Posted by Jörn Nettingsmeier <po...@uni-duisburg.de>.

Bob Harner wrote:
> On 6/4/06, Joern Nettingsmeier <ne...@folkwang-hochschule.de> wrote:
>> hi everybody!
>>
>>
>> i've come across two security issues wrt. admin.changePassword while
>> digging around:
>>
>> (1) the password dialog is submitted via GET. this will expose the
>> password to somebody watching the browser's address bar. the attached
>> patch changes the method to POST. you can argue that security is
>> currently not implemented anyway, since we are sending clear-text
>> around. granted. but: we are using <input type="password"/> fields, so
>> the goal seems to be: hide the password from people watching the screen.
>> which implies that the values should be POSTed.
> 
> See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
> contains a fix for (I think) the same kind of problem that existed on
> the login page.

ah, cool. out of curiosity: why did you do this:

<form method="post" action="?lenya.usecase=login&amp;lenya.step=login">

i.e. propagate some parameters via GET? i thought all of cocoon's 
getParameter() magic was transparent wrt the method?

regards,

jörn


-- 
"Open source takes the bullshit out of software."
	- Charles Ferguson on TechnologyReview.com

--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: pol-admin@uni-due.de, Telefon: 0203/379-2736

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: two minor security issues with admin.changePassword

Posted by Bob Harner <bo...@gmail.com>.

On 6/4/06, Joern Nettingsmeier <ne...@folkwang-hochschule.de> wrote:
> hi everybody!
>
>
> i've come across two security issues wrt. admin.changePassword while
> digging around:
>
> (1) the password dialog is submitted via GET. this will expose the
> password to somebody watching the browser's address bar. the attached
> patch changes the method to POST. you can argue that security is
> currently not implemented anyway, since we are sending clear-text
> around. granted. but: we are using <input type="password"/> fields, so
> the goal seems to be: hide the password from people watching the screen.
> which implies that the values should be POSTed.

See http://issues.apache.org/bugzilla/show_bug.cgi?id=38383 which
contains a fix for (I think) the same kind of problem that existed on
the login page.

> (2) the checkOldPassword flag is set via a request parameter, which can
> be easily tampered with by normal users.
> if this is meant only as a usability thing, that is not a problem. if
> however it is meant to protect logged-in users from having their
> passwords changed while they are not looking, this issue becomes important.
> my suggestion is to always checkOldPassword if the users do not belong
> to the admin group, and to hope that admins know better than to leave
> their sessions unattended.
> i'm not sure though if i have understood all the side-effects of this,
> so i would welcome your comments.
>
> jörn

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org