Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

45: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 1)

Posted by Malte Sussdorff on 06/01/04 08:42 AM

Though we need a general solution, the major hole is the possibility to grant swa permissions to a certain user. If this page requires an additional password or uses a mechanism making sure it can be only called from a certain other page, this would help.

48: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 45)

Posted by Jade Rubick on 06/01/04 05:56 PM

Another point:

The developer support shell page needs to use signed variables too. Otherwise, you could pass the variables directly to developer-support using an IMG tag, and not even bother to make yourself site-wide admin.

Barry, thank you for actually doing something about all this discussion! Is anybody willing to port his code to Postgres once he's done testing it?

I personally think this is a security fix, so it wouldn't require TIPing, but perhaps it could be TIPed just to be extra sure...?