Menu
▾
▴
[Apc-aa-coders] access controls, item ids, security in AA
|
From: Michael M. <mi...@gn...> - 2007-06-11 11:58:53
|
Hi we had a discussion about this kind of scenario a while ago in the office. Then, of course, it really happens. It's very handy at times that any view can display any item no matter what slice. On the other site, and especially with short item ids, it creates problems for shared installations. If there's a public submit form on any site using the shared installation AA is prone to abuse by spammers. They submit their stuff there, somehow figure out the short id, and then use any other site to display their content, link to it etc. Secondly, storing any private data is a security risk as even if there are access restrictions on the original site anyone can just use another slice or view on the same installation to access that information. Together with short ids it's actually possible to do an almost complete dump of the content of an AA installation. A access control could work like this: on access to an item retrieve the slice id of the item and the slice id of the view and check if they match. This would at least secure access where a slice password is set. Regards, mimo ---------- Forwarded Message ---------- Begin forwarded message: > From: "Matt Cutts" <ma...@go...> > Date: 11 June 2007 09:28:44 BDT > Subject: your site has some weird urls on it > > Hi, my name is Matt Cutts and I'm a software engineer at Google. I > wanted to mention that it looks like someone has the ability to add > posts on your site; not sure if it's a hack or some other security > hole. > > See > http://DELETED/article.shtml?cmd[347]=x-347-553962 > http://DELETED/article.shtml?cmd[347]=x-347-553963 > for example. I wasn't sure whether to write, but the urls have been up > for a few hours, so I thought I'd drop you a line in case you weren't > aware. > > Regards, > Matt _______________________________________________ Tech-l mailing list Te...@gn... http://mailman-new.greennet.org.uk/mailman/listinfo/tech-l ------------------------------------------------------- |
