• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Serious security hole in AjaxFlexibleFileUpload (and ERAttachmentFlexibleUpload)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Serious security hole in AjaxFlexibleFileUpload (and ERAttachmentFlexibleUpload)


  • Subject: Serious security hole in AjaxFlexibleFileUpload (and ERAttachmentFlexibleUpload)
  • From: Paul Hoadley <email@hidden>
  • Date: Thu, 23 Jun 2016 18:45:39 +0930

Hello,

TLDR: Prior to a few days ago, AjaxFlexibleFileUpload (and ERAttachmentFlexibleUpload which uses it) had a rather large security hole in it. If you use this component, you should update to the recently released Wonder 6.1.5 or to HEAD for Wonder 7, both of which contain the fix.

A few months ago, Ralf Schuchardt committed some improvements to AjaxProxy:

https://github.com/wocommunity/wonder/pull/731

This passed me by until I noticed some unusual console logging from a page with an upload component on it. It was coming from this newly-added line in AjaxProxy:

log.warn("No proxy binding given, so using parent component. This is probably a very bad idea.");

As Ralf noted in a reply to me in the comments to that pull request:

AjaxProxy currently publishes every public method of the object on the client side. For components this means for example WOComponent.valueForKeyPath and WOComponent.takeValueForKeyPath are directly callable by the client. A malicious user may call valueForKeyPath("application.terminate") or every other path reachable by session or application. I call this a serious issue.

Indeed, any app user with access to a page containing an AjaxFlexibleFileUpload could cause an instance shutdown by adding a single line to wonder.js using something like Chrome’s Developer Tools.

https://github.com/wocommunity/wonder/issues/768

I fixed the issue by setting the proxy binding to an inner class with limited privileges.

https://github.com/wocommunity/wonder/pull/769

If you’re using AjaxFlexibleFileUpload or ERAttachmentFlexibleUpload in production, you should update your Wonder frameworks as described above.


-- 
Paul Hoadley
http://logicsquad.net/



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

  • Prev by Date: Re: Design Ideas?
  • Next by Date: Re: Occasional NPEs from ERXTimeZoneDetector
  • Previous by thread: Re: Design Ideas?
  • Next by thread: Re: Occasional NPEs from ERXTimeZoneDetector
  • Index(es):
    • Date
    • Thread