Opened 6 years ago

Closed 6 years ago

#2038 closed defect (fixed)

Taglibs in web client may leak information

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: BASE 3.10
Component: web Version:
Keywords: Cc:

Description

I am not sure how critical this is but some taglibs used by the BASE web client have instance variables that are automatically set in some circumstances but never touched in other cases. Since taglib instances are re-used this may cause information to leak from one usage of a taglib to another. An example:

The <base:page> taglib is used on almost all pages in the web client. If there are skin extensions installed the skinContext variable is initialized unless the noskin attribute is set. If a page is setting noskin=false a new skin context is not created, but if there is an existing instance it will not cleared. This instance may belong to another user that just happens to be logged in at the same time. Since the SessionControl is accessible from the skinContext variable there is a risk that the session control for the other user is leaked to a different user. A malicious page may use this to get hold of a session control belonging to a server administrator and then do bad stuff.

Well, the main risk is that we are mixing up session controls in our own code and that users suddenly can access information that the would normally not be able to.

It should be relatively easy to fix this kind of problem by making sure that sensitive instance variables are reset in the setPageContext() method that is always called before using a taglib for a new page request.

Change History (2)

comment:1 Changed 6 years ago by Nicklas Nordborg

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:2 Changed 6 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed

(In [7217]) Fixes #2038: Taglibs in web client may leak information

Fixed the issue in Page taglib by making sure that variables are reset in the setPageContext method. Also added tag attribute sc for setting a session control on the page so that the taglib doesn't have to find out by inspecting the URL.

Also found similar issues with some variables in other taglibs that should be reset before used.

Note: See TracTickets for help on using tickets.