Forums
This topic is locked
Security hole in User Authentication system?
Posted 24 Feb 2002 01:50:17
1
has voted
24 Feb 2002 01:50:17 Ricardo Ribeiro posted:
Well, let's imagine I create a user zone; each user have his own data. When a user logs in, he's drive to a menu page form which he can change his date. So far so good.
Now, he decides to change some of this data, beeing driven to a detail page to update the database. Naturally we have a URL like this:
www.mydomain.com/changingdata?IDRecord=1992
Now, guess what happens if the user decides to change the number in the URL... right.. he is now in other users data and he can change it!!
Any comments about this situation?
Replies
Replied 24 Feb 2002 04:50:34
24 Feb 2002 04:50:34 Owen Eastwick replied:
Change the form method from GET to POST, so that it isn't passed as a URL parameter, then pick it up on the subsequent page using Request("FormFieldName"
instead of Request.QueryString("FormFieldName"
Regards
Owen.
Multiple Parameter UD4 / Access 2000 Database Search Tutorial:
www.tdsf.co.uk/tdsfdemo
instead of Request.QueryString("FormFieldName"Regards
Owen.
Multiple Parameter UD4 / Access 2000 Database Search Tutorial:
www.tdsf.co.uk/tdsfdemo
Replied 24 Feb 2002 23:50:40
24 Feb 2002 23:50:40 Ricardo Ribeiro replied:
OK.. I thought about that... but I'm not using Forms in the process. I have a table and in one of the cols there is the link. So, there is no chance to use any FORM properties to go to detail page.
So, am I right if I say this is a major security hole in the program?
So, am I right if I say this is a major security hole in the program?
Replied 25 Feb 2002 00:58:10
25 Feb 2002 00:58:10 Owen Eastwick replied:
No, that's just the way URL parameters work, they were never intended for passing around secure information.
Presumably the Username or some other means of linking a particular user to his data is held in the table containing the data they have entered and are allowed to edit. One way to stop the user editing other peoples info, even if they modify the URL parameter, would be to repeat the user check on the edit page, something like:
RecordsetName.Source = "SELECT Whatever, WhateverElse, AndTheRest FROM TableName WHERE UserName LIKE '" & Session("MM_Username" "' AND RecordID = " & Request.QueryString("RecordID"
Then check that a record is returned:
<%
If RecordsetName.Fields.Item("Whatever".Value = "" Then
Response.Redirect("NotAuthorisedToEditThisRecord.asp"
End If
%>
Regards
Owen.
Multiple Parameter UD4 / Access 2000 Database Search Tutorial:
www.tdsf.co.uk/tdsfdemo
Presumably the Username or some other means of linking a particular user to his data is held in the table containing the data they have entered and are allowed to edit. One way to stop the user editing other peoples info, even if they modify the URL parameter, would be to repeat the user check on the edit page, something like:
RecordsetName.Source = "SELECT Whatever, WhateverElse, AndTheRest FROM TableName WHERE UserName LIKE '" & Session("MM_Username"
"' AND RecordID = " & Request.QueryString("RecordID"Then check that a record is returned:
<%
If RecordsetName.Fields.Item("Whatever"
.Value = "" ThenResponse.Redirect("NotAuthorisedToEditThisRecord.asp"
End If
%>
Regards
Owen.
Multiple Parameter UD4 / Access 2000 Database Search Tutorial:
www.tdsf.co.uk/tdsfdemo
Replied 26 Feb 2002 16:15:45
26 Feb 2002 16:15:45 Dennis van Galen replied:
Also note that without some code adjustments the User Authentication Behaviour is NOT completely secure...
Look at this technote and get ready to fix it:
www.macromedia.com/support/ultradev/ts/documents/login_sb_security.htm
Even with this fix I would not recommend using the Authentication behaviors on a full fledged E-commerce website, unless it's combined with SSL, see this technote: www.macromedia.com/support/ultradev/ts/documents/security_userauthentication.htm
There's more issues to look out for, one example is Paypal for online transactions, they have this cool behavior for free, but don't let them fool you.
They freeze your account for no apparent reason, look here for more on paypal: www.paypalwarning.com/WallOfShame/Default.htm
With kind regards,
Dennis van Galen
Webmaster KPN Nederland
Financial and Information Services
Look at this technote and get ready to fix it:
www.macromedia.com/support/ultradev/ts/documents/login_sb_security.htm
Even with this fix I would not recommend using the Authentication behaviors on a full fledged E-commerce website, unless it's combined with SSL, see this technote: www.macromedia.com/support/ultradev/ts/documents/security_userauthentication.htm
There's more issues to look out for, one example is Paypal for online transactions, they have this cool behavior for free, but don't let them fool you.
They freeze your account for no apparent reason, look here for more on paypal: www.paypalwarning.com/WallOfShame/Default.htm
With kind regards,
Dennis van Galen
Webmaster KPN Nederland
Financial and Information Services