Forum OpenACS Development: Re: Possible Vulnerablity in basic-info-update-2.tcl

Collapse
Posted by Barry Books on
Signing the variable would be a good idea and would fix hacking attempts. Having a way to validate by object type would find programing errors. Perhaps not that important and would require a database hit. It could also check check that it's a number. Validating attributes seems more useful and would not require a database hit (at least for every one).

I found this problem by running a security scan against the site. It does things like put letters into the user_id and increment it and decrement it. It reports possible problems because this does not cause an error (other than a request error). The two classes of problems it finds are object_ids and parameter values are not properly validated. Most of the problems result in a request error. Most are not real problems but relying on variables really being the right object_id and the parameter really being the right size and type may not be the right defense against hacking either. Oracle will report an error but they might be used for other things.

If you are running 4.2 I suggest signing the user_id. The current version appears to let you change the email and url of any party (including groups) you have write access to. You can also add a bio to any object you have write access to. While these may not be fatal they are certainly not a feature either.