11:19 a.m.
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:45 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=comments#action_1239... ]
Thomas Heute commented on JBPORTAL-1841:
----------------------------------------
I don't understand the issue here.
If you access /auth/ you will be asked for authentication then you will change your
preference
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:35 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=comments#action_1239... ]
Prabhat Jha commented on JBPORTAL-1841:
---------------------------------------
Try this:
1. Start up Portal.
2. Access the weather portal page as it is and see Miami weather.
3. Now enter
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...
in browser's address directly and see what you get.
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=comments#action_1239... ]
Thomas Heute commented on JBPORTAL-1841:
----------------------------------------
It asks for my username/password ;)
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:53 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=comments#action_1239... ]
Prabhat Jha commented on JBPORTAL-1841:
---------------------------------------
Crapola. :-( Wrong URL. Try this:
http://localhost:8080/portal/portal/default/Weather/WeatherPortletWindow?...
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:55 a.m.
New subject: [JBoss JIRA] Updated: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=all ]
Prabhat Jha updated JBPORTAL-1841:
----------------------------------
Attachment: weather-edit.png
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
Attachments: weather-edit.png
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:57 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=comments#action_1239... ]
Thomas Heute commented on JBPORTAL-1841:
----------------------------------------
We could gracefully redirect the user but this is not a security issue
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Attachments: weather-edit.png
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:57 a.m.
New subject: [JBoss JIRA] Updated: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=all ]
Thomas Heute updated JBPORTAL-1841:
-----------------------------------
Issue Type: Feature Request (was: Bug)
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Priority: Critical
Attachments: weather-edit.png
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:57 a.m.
New subject: [JBoss JIRA] Updated: (JBPORTAL-1841) URL hacking allows edit mode in weather portlet
[ http://jira.jboss.com/jira/browse/JBPORTAL-1841?page=all ]
Thomas Heute updated JBPORTAL-1841:
-----------------------------------
Priority: Major (was: Critical)
URL hacking allows edit mode in weather portlet
-----------------------------------------------
Key: JBPORTAL-1841
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1841
Project: JBoss Portal
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.3 Final
Reporter: Prabhat Jha
Assigned To: Thomas Heute
Attachments: weather-edit.png
If you are not logged in then weather portlet does not show edit icon which is good. But
if I hack the URL to
http://localhost:8080/portal/auth/portal/default/Weather/WeatherPortletWi...,
I am able to get into edit mode and change the zip code. Is this how it supposed to be?
Sohil suggests:
"no it shouldn't do that. Either the Edit Mode logic of the Portlet should
protect against this (a bit painful design), or Portal's security layer should have
the granularity to provide role-based protection of the "Edit Mode" of Portlets
as a cross cutting aspect. I like the second option better personally"
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6108
days inactive
6142
days old
8 comments
2 participants
participants (2)
-
Prabhat Jha (JIRA) -
Thomas Heute (JIRA)