Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Signed variables should be fixed then. It occurred to me that if (and perhaps it's stated above) it's not safe to allow users to input src tags to this website it's not safe to have src tags anywhere. For example if I create a img tag on my website with

src="https://openacs.org/permissions..blah,blah,blah

And post into this forum a url to my site that says here's how to make acs secure. Then someone will click the link and be screwed.

Barry, you are right: we can't fix the way the internet works. I'm not sure why an attacker would go to the trouble of using an image tag to break into OpenACS, given the ease it can be accomplished by tricking someone into visiting an offsite page. The offsite page could use every possible device to break in, not just a src attribute.

One way to fix it, mentioned by me before in this thread and others, is to tie the form to the form processing page. Forms should be tied to a session. Variables used in the form should be tied to the form. In the cases where ad_form is used, this might be possible without visible code changes to each page (where the default formtemplate tag is used), but I'm not a expert on ad_form.

Fixing the exploit code (developer support) isn't a long term solution. Someone could upload their own exploit code once they have admin access.