security question

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
10/31/2010 9:11:18 PM
derek.liang.ca
Gravatar
Total Posts 14
View Posts

security question

Hi all,

From the following video "Enforcing Security Part 1" at 2:23,

http://www.mojoportal.com/dev-series-25-enforcing-security-part-1.aspx

and related code

protected void Page_Load(object sender, EventArgs e)
{
LoadParams();

if (!UserCanEditModule(moduleId) || itemGuid==Guid.Empty)
{
SiteUtils.RedirectToAccessDeniedPage();
return;
}

...

}

private void LoadParams()

{

...

moduleId = WebUtils.ParseInt32FromQueryString("mid", moduleId);

...

}

It seems that it is quite easy to spoof the moduleId by modifying query string in the requesting URL.

Suppose a user has edit rights to an unrelated module on the web site, he/she can invoke Edit.aspx with edit.aspx?mid=xxx where xxx is the module that he/she has edit rights to.

Do I miss something?

Thanks!

 

dl

11/1/2010 5:54:12 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: security question

Yes, you miss something.

In the UserCanEditModule method of mojoBasePage we check that the module exists on the current page and whether the user has permissions to edit the module and/or the page. so if someone passes in a moduleid for a module that is not on the page it will not work.

Best,

Joe

11/1/2010 3:04:32 PM
derek.liang.ca
Gravatar
Total Posts 14
View Posts

Re: security question

I traced the code a bit and found that the currentPage variable in UserCanEditModule is based on the query string too.

private static PageSettings LoadCurrentPage()
{
...

int pageID = WebUtils.ParseInt32FromQueryString("pageid", -1);

...

PageSettings currentPage = new PageSettings(siteSettings.SiteId, pageID);

...

}

suppose I have page and module that I have rights to, I can spoof the url with edit.aspx?pageid=yyy&mid=xxx.

The question I am asking is that there is no knowledge of page/module ID in the supporting page except from url. How can the page be secured via external data source (in this case the url).

 

dl

11/2/2010 6:46:59 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: security question

Ok, I see what you are getting at, maybe I did not cover it well enough in the video. The check for UserCanEditModule is just one preliminary step  for securing a custom feature, it is not a complete security solution. Additional steps to secure a feature can very depending on the feature.

In the case of the GuestBook  example, before editing or deleting a guestbook item, one needs to check that the item has the same moduleid that is passed in. For creating a new item one can check that the module has the correct feature guid to make sure it represents a GuestBook instance.

Best,

Joe

11/2/2010 12:52:39 PM
derek.liang.ca
Gravatar
Total Posts 14
View Posts

Re: security question

So I guess this is how thing should work in the Guestbook app.

The UserCanEditModule function will guarantee that the pageid and moduleid are valid and user has access to it. It is up to your application to make sure that the moduleId and itemGuid match as shown in the following code (which is missing in the tutorial).


private void Save()
{

GuestBook g = repository.Fetch(itemGuid);

if g.moduleId != this.moduleId)
{
SiteUtils.RedirectToAccessDeniedPage();
return;
}

g.Name = txtName.Text;
g.EmailAddress = txtEmailAddress.Text;
g.Location = txtLocation.Text;
g.WebSiteUrl = txtWebSiteUrl.Text;
g.Comment = txtComment.Text;

repository.Save(g);
}

Am I right?

 

dl

11/3/2010 6:37:31 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: security question

Yes, that looks good. I plan to make the GuestBook source code available for download, should have done it already but have been swamped and I'm leaving for a short vacation tomorrow morning but next week I will try to update it and make it available. When I did the videos we were using a Subversion repository but we are now using Mercurial so I need to set it up again with the latest code from Mercurial and make sure it works then write instructions about how to add the projects to a solution, then I can zip up the GuestBook source code and make a download.

I'm also looking at adding an overload for the UserCanEditModule that allows passing in the feature guid so we can validate that the module represents an instance of the feature in the same method where we validate that the user has permissions on the page/module. This will be more convenient for when creating new items like a new GuestBookItem where we can't check the module id since it is a new object.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.