>I agree, but the other fix is also necessary: what if somebody found
>some other way to access the system, ie via Web services?
>
>Want to create a couple of JIRA issues for these, maybe post your
>comments and mine?
>
>Si
>
>Vinay Agarwal wrote:
>
>  
>
>>I think there is a general security risk with storing database keys, or any
>>"important" information, in form fields, hidden or not. Overall security is
>>much easier to achieve by not giving user access to this data than to try to
>>contain the contaminant input. In other words follow these two rules:
>>
>>1. Not store any important information in user forms, instead save them in
>>session.
>>2. Save only the data in hidden user form that cannot impact security if
>>changed, e.g., sequence page id for multi-page data entry forms.
>>
>>So, I would simply recommend converting all 241 or so potentially unsafe
>>ftl's and corresponding event handlers to use session and instead of hidden
>>fields.
>>
>>Regards,
>>Vinay Agarwal
>>
>>
>>-----Original Message-----
>>From: [hidden email] [mailto:[hidden email]]
>>On Behalf Of Si Chen
>>Sent: Friday, February 10, 2006 4:10 PM
>>To: OFBiz Users / Usage Discussion
>>Subject: Re: [OFBiz] Users - Hidden partyId - Security Risk?
>>
>>Vinay,
>>
>>My hunch is that:
>>ServiceUtil.getPartyIdCheckSecurity(userLogin, security, context,
>>result, "PAY_INFO", "_UPDATE");
>>is not enough. This checks if the partyId of the userLogin is the
>>partyId in the context or if the userLogin has PAY_INFO_UPDATE.
>>
>>I think the security check there should be:
>>1. Does userLogin have PAY_INF_UPDATE? Yes -> good. This can be done
>>with hasEntityPermission
>>2. If not (1), is the userLogin the partyId in the context AND the
>>partyId of the PaymentMethod? Yes -> good.
>>
>>We may be missing the second part here...
>>
>>Want to try it? :)
>>
>>Si
>>
>>Vinay Agarwal wrote:
>>
>>
>>
>>    
>>
>>>My testing did find problem with hidden paymentMethodId field that I
>>>am describing below. In addition, there are 240 other ftl files that
>>>contain hidden fields and may pose security risk although I have not
>>>looked at anyone else.
>>>
>>>File: applications/ecommerce/webapp/ecommerce/customer/editcreditcard.ftl
>>>
>>>Statement: <input type="hidden" name="paymentMethodId"
>>>value="${paymentMethodId}">
>>>
>>>Theory:
>>>
>>>A hacked form may change the paymentMethodId and modify data that the
>>>user does not have authorization for
>>>
>>>Method:
>>>
>>>  1. Ecommerce application, signed up as "firstuser" and added a
>>>     credit card. Its paymentMethodId came out to be 10000.
>>>  2. Logged out and signed up as "seconduser" and added a credit
>>>     card. Its paymentMethodId came out to be 10001.
>>>  3. Logged in as seconduser, clicked on update credit card. Saved
>>>     the html page locally.
>>>  4. Edited the saved html page
>>>        1. Changed paymentMethodId from 10001 to 10000.
>>>        2. Added http://localhost:8443 <http://localhost:8443/> to
>>>           the action url.
>>>  5. Expected result: firstuser and seconduser each has one credit card.
>>>  6. Actual result: firstuser had no card and the second user had 2
>>>     cards as seen on the profile page.
>>>
>>>Conclusion:
>>>
>>>A user is able to modify data that he is not authorized for.
>>>
>>>I would like to know if you can reproduce it. I can add it to Jira if
>>>needed.
>>>
>>>Regards,
>>>
>>>Vinay Agarwal
>>>
>>>------------------------------------------------------------------------
>>>
>>>
>>>_______________________________________________
>>>Users mailing list
>>>[hidden email]
>>>http://lists.ofbiz.org/mailman/listinfo/users
>>>
>>>  
>>>
>>>      
>>>
>>_______________________________________________
>>Users mailing list
>>[hidden email]
>>http://lists.ofbiz.org/mailman/listinfo/users
>>
>>_______________________________________________
>>Users mailing list
>>[hidden email]
>>http://lists.ofbiz.org/mailman/listinfo/users
>>
>>
>>
>>    
>>
>
>_______________________________________________
>Users mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/users
>  
>