Re: [Apc-aa-coders] Changes: site module, edititem,

[Mitra <mi...@mi...>]

Hmmm -

This is a good point,

One alternative would be to add the AA_CP_Session to the cache string,

Even if this is not sufficient, this is something we need to do.

What do you think?

- Mitra


At 10:50 AM +0100 20/1/03, Honza Malik wrote:
>I found another, much more serious problem in this - caching.
>
>If I update an item on such page (you can test on FAQ), then new page is
>generated from database and my AA_CP_Session id is added. BUT, this page
>is CACHED (internaly in AA for both - slice.php3 as well as for
>view.php3), so EVERYONE who is going to the page obtain the page from
>cache WITH MY SESSION ID.
>
>I think we really have to remove export AA_CP_Session ids outside of
>Admin interface.
>
>    Honza
>
>On Ne, 2003-01-12 at 22:11, Mitra wrote:
>>  Its a good point, I was trying to think of security holes in it.
>>
>>  I think this is a bit of a non-worry for a number of reasons.
>>  1: Most browsers don't send referer URLs any more - really annoying
>>  when you are trying to track things down.
>>  2: The hacker would have to be on a site you linked to, and react
>>  within three hours.
>>
>>  I just don't see this as a big security hole.
>>
>>  - Mitra
>>
>>
>>  At 10:05 PM +0100 12/1/03, Honza Malik wrote:
>>  >On Ne, 2003-01-12 at 02:08, Mitra wrote:
>>  >>  The biggest change is that _#EDITITEM should now work in most cases
>>  >>  outside of the admin interface, with the user being prompted for a
>>  >>  userid/password and then returned back to where they came from.
>>  >
>>  >It's nice. Thanks Mitra.
>>  >
>>  >Just one note: It's not secure to add AA_CP_Session to urls outside of
>>  >AA Admin interface (like in FAQ). If there is any link to any other
>>  >webpage (in FAQ), it is possible to get your session id (AA_CP_Session)
>>  >from 'Referer' field. With this id (or url) you are able to access AA
>>  >admin pages without login (for 3 hours, when session id expires).
>>  >
>>  >I would probably prefer to create the link without the session id (with
>>  >f_e) as default (so users have to log in on every item edit) and then
>>  >maybe create optional f_e for those admins, who knows about this problem
>  > >and don't care. At least we have to mention it in the FAQ.
>  > >
>  > >What you think?
>  > >
>  > >    Honza
>  > >
>  > >>  - Mitra
>  > >>
>  > >>
>>  >>
>>  >>  01/12/02 - changed site module to go to prior sibling when deleting
>>  >>  rather than parent
>>  >>  01/12/02 - added default $item=null to new_unalias_recurent to allow
>>  >>  calling from site module without warnings
>>  >>  01/12/02 - fixed adding AA_CP_Session to url in site module AAPage
>>  >>  where it is already there.
>>  >>  01/12/02 - changes to allow _#EDITITEM to be used outside of 
>>admin interface
>>  >>  01/12/02 - combined several ways of redirecting to a URL into common
>>  >>  function go_return_or_url
>>  >
>>  >
>>  >
>>  >-------------------------------------------------------
>>  >This SF.NET email is sponsored by:
>>  >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>>  >http://www.vasoftware.com
>>  >_______________________________________________
>>  >Apc-aa-coders mailing list
>>  >Apc...@li...
>>  >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders
>>
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
>are you planning your Web Server Security? Click here to get a FREE
>Thawte SSL guide and find the answers to all your  SSL security issues.
>http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
>_______________________________________________
>Apc-aa-coders mailing list
>Apc...@li...
>https://lists.sourceforge.net/lists/listinfo/apc-aa-coders


-- 
Mitra Technology Consulting -  www.mitra.biz - mi...@mi...
02-6684-8096  or 0414-648-0722 

Life is a Mystery to be Lived, not a Problem to be Solved