Security vulnerability in the Portal
Everyone,
I found this security hole about 2 years ago. BEA mentioned they were going to fix it, but they have not yet done it. I would like to show you what this hole is, and then how to fix it.
What it is: Using the opener link in 5.x or the normal navigation in 6x you have the ability to view the "edit" page of any community regardless of security. This means that as a guest user you can view the security on a community, and see all of the users who have access. A hacker can use these usernames to then try and hack into your site. Lets take a look at the opener object for 5x. It takes the following parameters: space, control, in_hi_ClassID, in_hi_ObjectID, and in_hi_OpenerMode. All that you need to do is put in parame space=Opener&control=OpenObject&in_hi_ClassID=512&in_hi_ObjectID=(target obj id)&in_hi_OpenerMode=1&
Here is a picture of what it could look like:
That is not so bad, but look at what else I can see when i click security and one of the groups (I scratched out the names to protect the innocent :P):
Now you can clearly see how dangerous this can be.
How to fix it:
This is easier than you think. See the BEA documents on help with implimenting these changes.
in 5x make sure this is in your ObjEditorModel file under com.plumtree.portaluiinfrastructure.editor. In the if block under "else if (EditorStartControl.EDITOR_START_FLAG_EDIT == m_nEditorType)" you need to have an entry that looks like:
default:
bObjectIsAccessible = m_Session.GetObjectManagers(m_nClassID)
.IsObjectAccessible(m_nObjectID,
m_Session.GetSessionInfo().GetCurrentUserID(),
PT_ACCESS_LEVELS.PT_ACCESS_LEVEL_EDIT);
break;
6x seems to already have it in there. I think this was BEA's attempt at fixing the issue. There is one more thing that is needed to fully fix this though. A PEI. This is for 5x and 6x:
Create a new PEI for IOpenerActions. In the method OnBeforeOpen put this in:
public Redirect OnBeforeOpen(int _nClassID, int _nObjectID, java.lang.String _strClassKey,
XPHashtable _htQSArguments, Redirect _rRedirect, AActivitySpace _asCurrentSpace, java.lang.Object _userSession)
{
IPTSession _ptUserSession = (IPTSession) _userSession;
// check for creating a new one
if ((_nObjectID == -1))
return null;
// we want to check for the security of the user and such.
// a return of null is to go as scheduled.
XPHashtable formData = _asCurrentSpace.GetCurrentFormData();
String sModes[] = null;
sModes = (String[]) formData.GetElement("in_hi_OpenerMode");
if (sModes == null || sModes.length == 0)
sModes = (String[]) formData.GetElement("mode");
String sMode = null;
try {
// in case some one puts in a bad opener mode such as 6
if ((Integer.parseInt(sModes[0]) > 1)
&& (Integer.parseInt(sModes[0]) <= 3))
{
// no need to check for this stuff
return null;
}
else
{
sMode = "1";
}
}
catch (Exception err)
{
sMode = "1";
}
boolean hasAccess = CheckAccessLevel(_nClassID, _nObjectID, PT_ACCESS_LEVELS.PT_ACCESS_LEVEL_EDIT, (IPTSession) _userSession);
if (hasAccess)
return null;
// create the redirect except send it as mode 2
log.Info("possible hack detected for user: "
+ _ptUserSession.GetUser().GetName());
String sRedirect = PTOpenerLinks.GetOpenerURLOpenObjID(_nClassID, _nObjectID, 2,_asCurrentSpace);
Redirect redirect = new Redirect();
redirect.SetLinkToExternalURL(sRedirect);
return redirect;
}
Now add a new private function:
private boolean CheckAccessLevel(int classID, int objectID, int accessLevel, IPTSession session)
{
boolean bObjectIsAccessible = false;
// JF- First we check the edit access
switch (classID)
{
case PT_CLASSIDS.PT_CATALOGFOLDER_ID:
case PT_CLASSIDS.PT_CATALOGCARD_ID:
bObjectIsAccessible = session.GetCatalog().IsCatalogObjectAccessible(objectID,
objectID, accessLevel);
break;
case PT_CLASSIDS.PT_ADMIN_FOLDER_ID:
bObjectIsAccessible = session.GetAdminCatalog()
.IsAdminFolderAccessible(objectID,
accessLevel);
break;
default:
bObjectIsAccessible = session.GetObjectManagers(classID)
.IsObjectAccessible(objectID,
session.GetSessionInfo().GetCurrentUserID(),
accessLevel);
break;
}
return bObjectIsAccessible;
}
Deploy this new PEI and all your problems are gone.
here is a link to the full file.
posted by Andrew Morris @ 10:30 AM
3 comments
3 Comments:
does the security vulnerability happen only when the guest user has minimum read ACL to the portal object that the hacker is attempting to open with the opener link?
yes you have to have at least read access.
Andrew,
I am a recruiter looking for a AL consultant to work with one of my client on their portal development in NC. Is there anyway you could post my job on your site?
Cheers,
Drew K.
dkoloski@gromwellit.com
Post a Comment
<< Home