Menu
▾
▴
Re: [Apc-aa-coders] Changes: site module, edititem,
|
From: Honza M. <hon...@ec...> - 2003-01-20 09:32:52
|
I found another, much more serious problem in this - caching. If I update an item on such page (you can test on FAQ), then new page is generated from database and my AA_CP_Session id is added. BUT, this page is CACHED (internaly in AA for both - slice.php3 as well as for view.php3), so EVERYONE who is going to the page obtain the page from cache WITH MY SESSION ID. I think we really have to remove export AA_CP_Session ids outside of Admin interface. Honza On Ne, 2003-01-12 at 22:11, Mitra wrote: > Its a good point, I was trying to think of security holes in it. > > I think this is a bit of a non-worry for a number of reasons. > 1: Most browsers don't send referer URLs any more - really annoying > when you are trying to track things down. > 2: The hacker would have to be on a site you linked to, and react > within three hours. > > I just don't see this as a big security hole. > > - Mitra > > > At 10:05 PM +0100 12/1/03, Honza Malik wrote: > >On Ne, 2003-01-12 at 02:08, Mitra wrote: > >> The biggest change is that _#EDITITEM should now work in most cases > >> outside of the admin interface, with the user being prompted for a > >> userid/password and then returned back to where they came from. > > > >It's nice. Thanks Mitra. > > > >Just one note: It's not secure to add AA_CP_Session to urls outside of > >AA Admin interface (like in FAQ). If there is any link to any other > >webpage (in FAQ), it is possible to get your session id (AA_CP_Session) > >from 'Referer' field. With this id (or url) you are able to access AA > >admin pages without login (for 3 hours, when session id expires). > > > >I would probably prefer to create the link without the session id (with > >f_e) as default (so users have to log in on every item edit) and then > >maybe create optional f_e for those admins, who knows about this problem > >and don't care. At least we have to mention it in the FAQ. > > > >What you think? > > > > Honza > > > >> - Mitra > >> > >> > >> > >> 01/12/02 - changed site module to go to prior sibling when deleting > >> rather than parent > >> 01/12/02 - added default $item=null to new_unalias_recurent to allow > >> calling from site module without warnings > >> 01/12/02 - fixed adding AA_CP_Session to url in site module AAPage > >> where it is already there. > >> 01/12/02 - changes to allow _#EDITITEM to be used outside of admin interface > >> 01/12/02 - combined several ways of redirecting to a URL into common > >> function go_return_or_url > > > > > > > >------------------------------------------------------- > >This SF.NET email is sponsored by: > >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > >http://www.vasoftware.com > >_______________________________________________ > >Apc-aa-coders mailing list > >Apc...@li... > >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders > |
