[Yanel-dev] Security issue re user profile resource
Michael Wechner
michael.wechner at wyona.com
Fri May 27 16:13:12 CEST 2011
Hi
I have just noticed and (hopefully) fixed a very bad security issue of
the user profile resource
src/contributions/resources/yanel-user/src/java/org/wyona/yanel/impl/resources/yaneluser/EditYanelUserProfileResource.java
For some reason (which I don't know or remember) one is allowed to use
this resource as follows
http://127.0.0.1:8080/yanel/from-scratch-realm/yanel/users/alice.html?id=lenya
which means one can access other user's profiles by specifying the query
string parameter "id".
Since the policy manager doesn't know how to interpret query strings, it
won't protect the URL above
although the URL
http://127.0.0.1:8080/yanel/from-scratch-realm/yanel/users/lenya.html
is protected (or in this case not accessible by alice).
Of course one does not have to use this resource and or just set a
restrictive policy one level higher, e.g
http://127.0.0.1:8080/yanel/from-scratch-realm/yanel/users
but still ...
I would actually like to remove the functionality of this query string
completely to make sure that
such a case is not possible, but as said above it's not clear to me why
it got introduced in the first place.
Thanks
Michael
More information about the Yanel-development
mailing list