Menu
▾
▴
Re: [Apc-aa-coders] Changes: site module, edititem,
|
From: Mitra <mi...@mi...> - 2003-01-29 00:56:24
|
Ok - I'll put this in, which will fix the current clear security problem. If you don't want to export AA_CP_Session what other solution would be better, to allow moving smoothly between viewing and editing items on a site? Maybe using cookies for the authentication would be better? Or maybe you could deal with your "HTTP_REFERER" concern by linking AA_CP_Session with IP address. - Mitra At 12:42 AM +0100 29/1/03, Honza Malik wrote: >Sorry for no response. I think the addition AA_CP_Session in cache >str2find string could help. > >On the other hand, you probably know I'm not freind of exporting >AA_CP_Session outside of AA Admin interface (referer problem, ...), so I >will probably encourage Econnect's administrators to not use this >feature on our servers. It doesn't mean I do not want this feature in AA >- I just want to mention possible problems in the FAQ - the ussage of >such feature is then up to admins. > > Honza > > >On St, 2003-01-29 at 00:04, Mitra wrote: >> Honza - >> >> I don't see a reply to this ... do you think adding the AA_CP_Session >> to the cache string is a good idea? >> >> - Mitra >> >> >> At 9:34 PM +1100 20/1/03, Mitra wrote: >> > Hmmm - >> > This is a good point, >> > One alternative would be to add the AA_CP_Session to the cache >> > string, >> > Even if this is not sufficient, this is something we need to do. >> > What do you think? >> > - Mitra >> > At 10:50 AM +0100 20/1/03, Honza Malik wrote: >> > > I found another, much more serious problem in this - caching. >> > > >> > > If I update an item on such page (you can test on FAQ), then new >> > > page is >> > > generated from database and my AA_CP_Session id is added. BUT, >> > > this page >> > > is CACHED (internaly in AA for both - slice.php3 as well as for >> > > view.php3), so EVERYONE who is going to the page obtain the page >> > > from >> > > cache WITH MY SESSION ID. >> > > >> > > I think we really have to remove export AA_CP_Session ids outside >> > > of >> > > Admin interface. >> > > >> > > Honza >> > > >> > > On Ne, 2003-01-12 at 22:11, Mitra wrote: >> > > > Its a good point, I was trying to think of security holes in it. >> > > > >> > > > I think this is a bit of a non-worry for a number of reasons. >> > > > 1: Most browsers don't send referer URLs any more - really > > > > annoying > > > > > when you are trying to track things down. > > > > > 2: The hacker would have to be on a site you linked to, and > > > > react > > > > > within three hours. >> > > > >> > > > I just don't see this as a big security hole. >> > > > >> > > > - Mitra >> > > > >> > > > >> > > > At 10:05 PM +0100 12/1/03, Honza Malik wrote: >> > > > >On Ne, 2003-01-12 at 02:08, Mitra wrote: >> > > > >> The biggest change is that _#EDITITEM should now work in >> > > most cases >> > > > >> outside of the admin interface, with the user being prompted > > > > for a > > > > > >> userid/password and then returned back to where they came > > > > from. > > > > > > > > > > > >It's nice. Thanks Mitra. > > > > > > > > > > > >Just one note: It's not secure to add AA_CP_Session to urls >> > > outside of >> > > > >AA Admin interface (like in FAQ). If there is any link to any >> > > other >> > > > >webpage (in FAQ), it is possible to get your session id >> > > (AA_CP_Session) >> > > > >from 'Referer' field. With this id (or url) you are able to >> > > access AA >> > > > >admin pages without login (for 3 hours, when session id >> > > expires). >> > > > > >> > > > >I would probably prefer to create the link without the session >> > > id (with >> > > > >f_e) as default (so users have to log in on every item edit) >> > > and then >> > > > >maybe create optional f_e for those admins, who knows about >> > > this problem >> > > > >and don't care. At least we have to mention it in the FAQ. >> > > > > >> > > > >What you think? >> > > > > >> > > > > Honza >> > > > > >> > > > >> - Mitra >> > > > >> >> > > > >> >> > > > >> >> > > > >> 01/12/02 - changed site module to go to prior sibling when > > > > deleting > > > > > >> rather than parent >> > > > >> 01/12/02 - added default $item=null to new_unalias_recurent >> > > to allow >> > > > >> calling from site module without warnings >> > > > >> 01/12/02 - fixed adding AA_CP_Session to url in site module >> > > AAPage >> > > > >> where it is already there. >> > > > >> 01/12/02 - changes to allow _#EDITITEM to be used outside of >> > > admin interface >> > > > >> 01/12/02 - combined several ways of redirecting to a URL >> > > into common >> > > > >> function go_return_or_url >> > > > > >> > > > > >> > > > > >> > > > >------------------------------------------------------- >> > > > >This SF.NET email is sponsored by: >> > > > >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 >> > > See! >> > > > >http://www.vasoftware.com >> > > > >_______________________________________________ >> > > > >Apc-aa-coders mailing list >> > > > >Apc...@li... >> > > > >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders >> > > > >> > > >> > > >> > > >> > > ------------------------------------------------------- >> > > This SF.NET email is sponsored by: FREE SSL Guide from Thawte >> > > are you planning your Web Server Security? Click here to get a >> > > FREE >> > > Thawte SSL guide and find the answers to all your SSL security >> > > issues. >> > > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en >> > > _______________________________________________ >> > > Apc-aa-coders mailing list >> > > Apc...@li... >> > > https://lists.sourceforge.net/lists/listinfo/apc-aa-coders >> > -- >> > Mitra Technology Consulting - www.mitra.biz - mi...@mi... >> > 02-6684-8096 or 0414-648-0722 >> > Life is a Mystery to be Lived, not a Problem to be Solved >> >> >> >> -- >> Mitra Technology Consulting - www.mitra.biz - mi...@mi... >> 02-6684-8096 or 0414-648-0722 >> >> Life is a Mystery to be Lived, not a Problem to be Solved >> > > > >------------------------------------------------------- >This SF.NET email is sponsored by: >SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! >http://www.vasoftware.com >_______________________________________________ >Apc-aa-coders mailing list >Apc...@li... >https://lists.sourceforge.net/lists/listinfo/apc-aa-coders -- Mitra Technology Consulting - www.mitra.biz - mi...@mi... 02-6684-8096 or 0414-648-0722 Life is a Mystery to be Lived, not a Problem to be Solved |
