Fw: Calling service remotely - security concern

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fw: Calling service remotely - security concern

Jacques Le Roux
Administrator
Forwarded, not sure why it'sd needed... Looks like OE-QuoteFix is the culprit...

Jacques

----- Original Message -----
From: "Jacques Le Roux" <[hidden email]>
To: <[hidden email]>
Sent: Thursday, July 01, 2010 10:35 AM
Subject: Re: Calling service remotely - security concern


> Indeed, looks like a real security concern. I did not look on how to retrieve another user's UserLogin though. If this is possible
> then it's a real concern!
>
> Jacques
>
> Scott Gray wrote:
>> I think Muhammed's point is that once a user has authenticated using their own username/password, it is possible that they could
>> retrieve another user's UserLogin record and then use it to execute services without needing to know that user's password.
>>
>> Regards
>> Scott
>>
>> HotWax Media
>> http://www.hotwaxmedia.com
>>
>> On 1/07/2010, at 7:58 PM, Jacques Le Roux wrote:
>>
>>> In your example you needed 1st to know the login/pwd couple. So I can't see the problem here.
>>>
>>> Jacques
>>>
>>> From: "Muhammed Aamir" <[hidden email]>
>>>>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat (or
>>>>>> my understanding is wrong). Any user (calling service remotely) can pass
>>>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>>>> sort of method on some other GV) which might not belong to her.
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 1, 2010, at 1:42, David E Jones <[hidden email]> wrote:
>>>
>>>>>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat (or
>>>>>>> my understanding is wrong). Any user (calling service remotely) can pass
>>>>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>>>>> sort of method on some other GV) which might not belong to her.
>