security issue with xxforms:property()
Locked
security issue with xxforms:property()
 
|
Hello,
Is it possible to disable the functionality
provided by xxforms:property (which displays the values from Orbeon's
properties.xml)?
In our case, the XForms are defined by the users.
They can thus upload a form that outputs the possibly sensitive values
(oxf.xforms.password and oxf.xforms.store.application.password are
candidates).In fact, they don't even have to upload a form: any form that has
the widget inspector on can evaluate
xxforms:property('oxf.xforms.store.application.password') as an XPath
expression.
Now, in practice the above may have different
degrees of risk (any password used to encrypt the Ajax communication is known to
the client anyway by definition) so further analysis might be required - for
now, I'm just asking whether it's possible to disable this access
Thanks,
JL
-- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
Re: security issue with xxforms:property()
|
Administrator
|
Jean-Luc,
> Is it possible to disable the functionality provided by > xxforms:property (which displays the values from Orbeon's > properties.xml)? > > In our case, the XForms are defined by the users. They can thus > upload a form that outputs the possibly sensitive values > (oxf.xforms.password and oxf.xforms.store.application.password are > candidates).In fact, they don't even have to upload a form: any form > that has the widget inspector on can evaluate > xxforms:property('oxf.xforms.store.application.password') as an > XPath expression. xxforms:property() already filters out the oxf.xforms.password property. We could maybe have it filter out any property containing "password". Or, we could allow disabling it somehow, but currently there is no function to disable it. > Now, in practice the above may have different degrees of risk (any > password used to encrypt the Ajax communication is known to the > client anyway by definition) so further analysis might be required - > for now, I'm just asking whether it's possible to disable this access Currently, Ajax communication is not encrypted in Orbeon Forms. In general, if you need encryption of your communication, use HTTPS, which doesn't use a password, but a combination of private/public key and a stream cypher. It's obviously quite safe ;-) That said, the internals of the XForms engine are protected. Any state information traveling over Ajax from the client to the server and vice verse is encrypted, with a password that never makes it to the client. In general, that state information doesn't even make it to the client: it is referred to through UUID, and the state information remains on the server anyway. Regarding -Erik -- Orbeon Forms - Web Forms for the Enterprise Done the Right Way http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
Re: Re: security issue with xxforms:property()
|
|
> xxforms:property() already filters out the oxf.xforms.password
> property. Ah, ok, I tried with xxforms:property('oxf.xforms.store.application.password') and that still worked and I didn't check the other. It's probably better to do it for all *password* fields (and any other setting known to be sensitive) since normally you don't have any reason to read the password and the acceptance of Orbeon in certain corporate environments might be hampered if a security audit identifies these. It may not be a very serious risk, but sometimes perception matters as well. -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
Re: Re: Re: security issue with xxforms:property()
|
Administrator
|
>> xxforms:property() already filters out the oxf.xforms.password
Great, that sounded easy so I committed code to filter on any property
>> property. > > Ah, ok, I tried with > xxforms:property('oxf.xforms.store.application.password') and that > still worked and I didn't check the other. > > It's probably better to do it for all *password* fields (and any > other setting known to be sensitive) since normally you don't have > any reason to read the password and the acceptance of Orbeon in > certain corporate environments might be hampered if a security audit > identifies these. It may not be a very serious risk, but sometimes > perception matters as well. name containing the string "password". That's a start. -Erik -- Orbeon Forms - Web Forms for the Enterprise Done the Right Way http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
Re: Re: Re: Re: security issue with xxforms:property()
|
|
Super. I won't be able to use a new build, unfortunately, until the issue
described in the thread with "JS and CSS links are broken (no longer relative)" in the subject is fixed I run a locally patched version now., with XHTMLHeadHandler restored to an earlier version. As a heads-up, this messes FR (if response.rewriteResourceURL() is called, the CSS and JS of the Form Runner become /ops/ops/...) So now it's either the patched version that behaves correctly or the unpatched version where only FR works. All the details are in the original thread (and it's all about separate deployment). Maybe with JavaOne gone there are more reasons to hope for a fix? :) Many thanks, JL ----- Original Message ----- From: "Erik Bruchez" <[hidden email]> To: <[hidden email]> Sent: Wednesday, May 21, 2008 2:50 PM Subject: [ops-users] Re: Re: Re: security issue with xxforms:property() >>> xxforms:property() already filters out the oxf.xforms.password >>> property. >> >> Ah, ok, I tried with >> xxforms:property('oxf.xforms.store.application.password') and that >> still worked and I didn't check the other. >> >> It's probably better to do it for all *password* fields (and any >> other setting known to be sensitive) since normally you don't have >> any reason to read the password and the acceptance of Orbeon in >> certain corporate environments might be hampered if a security audit >> identifies these. It may not be a very serious risk, but sometimes >> perception matters as well. > > Great, that sounded easy so I committed code to filter on any property > name containing the string "password". That's a start. > > -Erik > > -- > Orbeon Forms - Web Forms for the Enterprise Done the Right Way > http://www.orbeon.com/ > > -------------------------------------------------------------------------------- > > -- > You receive this message as a subscriber of the [hidden email] mailing > list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > OW2 mailing lists service home page: http://www.ow2.org/wws > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
«
Return to Orbeon Forms community mailing list
|
1 view|%1 views
| Free forum by Nabble | Edit this page |