| Hello,
TLDR: Prior to a few days ago, AjaxFlexibleFileUpload (and ERAttachmentFlexibleUpload which uses it) had a rather large security hole in it. If you use this component, you should update to the recently released Wonder 6.1.5 or to HEAD for Wonder 7, both of which contain the fix.
A few months ago, Ralf Schuchardt committed some improvements to AjaxProxy:
This passed me by until I noticed some unusual console logging from a page with an upload component on it. It was coming from this newly-added line in AjaxProxy:
log.warn("No proxy binding given, so using parent component. This is probably a very bad idea.");
As Ralf noted in a reply to me in the comments to that pull request:
AjaxProxy currently publishes every public method of the object on the client side. For components this means for example WOComponent.valueForKeyPath and WOComponent.takeValueForKeyPath are directly callable by the client. A malicious user may call valueForKeyPath("application.terminate") or every other path reachable by session or application. I call this a serious issue.
Indeed, any app user with access to a page containing an AjaxFlexibleFileUpload could cause an instance shutdown by adding a single line to wonder.js using something like Chrome’s Developer Tools.
I fixed the issue by setting the proxy binding to an inner class with limited privileges.
If you’re using AjaxFlexibleFileUpload or ERAttachmentFlexibleUpload in production, you should update your Wonder frameworks as described above.
|