9 Replies Latest reply on Dec 13, 2011 4:14 PM by gebuh

Bug in Seam or Internet Explorer security hole?

cash1981 Apr 2, 2009 3:58 PM

Our test developer found something quite strange.
We have a page, which is restricted with a admin role.

This is what he did to find the error:

click on some of the admin stuff (creating users, listing users etc)

Copy url of the admin page

Logout

Paste url of admin page

Now in opera and firefox under Linux this didnt work. You got the error page with limited restriction.

However on windows and Internet Explorer 7, when pasting the url, you can view ALL the admin pages through the url. Listing the users, creating users, the home page of the admin etc.

Now is this a bug in Seam or is the security in Internet Explorer fu..ked??

1. Re: Bug in Seam or Internet Explorer security hole?

cash1981 Apr 2, 2009 4:09 PM (in response to cash1981)

I filed a JIRA, and lets see what happens.

JIRA
Actions
2. Re: Bug in Seam or Internet Explorer security hole?

cash1981 Apr 2, 2009 7:56 PM (in response to cash1981)

JIRA was rejected because they think I need support.
Ignorante if you ask me. Typical.

Anybody else experienced this?
Actions
3. Re: Bug in Seam or Internet Explorer security hole?

mwohlf Apr 2, 2009 8:25 PM (in response to cash1981)

Are you sure the pages don't come from the cache? How did you implement authentication/authorisation?
If You log in as a mortal user and run with admin privileges, it sounds more like a bug in your app than in Seam or IE (no offense)
Actions
4. Re: Bug in Seam or Internet Explorer security hole?

cash1981 Apr 2, 2009 9:12 PM (in response to cash1981)

The pages are not cached by seam.
Authentication is implemented as the minimal sample from the seam example.
I never said they run as admin privileges, I just said that they can view the pages. They cant do anything, only view.

If this is a bug from my system, then how come it works as expected in Firefox and Opera? Only Internet Explorer where this bug is.
Actions
5. Re: Bug in Seam or Internet Explorer security hole?

mwohlf Apr 2, 2009 9:18 PM (in response to cash1981)

IE has a cache too, did You check that?
Actions
6. Re: Bug in Seam or Internet Explorer security hole?

cash1981 Apr 2, 2009 9:20 PM (in response to cash1981)

That is why I was wonder wether this is an Internet Explorer security issue, or if seam really clears the internet explorer session cache properly as they do with Firefox and Opera.
Actions
7. Re: Bug in Seam or Internet Explorer security hole?

mwohlf Apr 2, 2009 9:37 PM (in response to cash1981)
IE is well know for doing whatever it wants no matter what the standard is, so I am not sure if IE listens to seam about what to do with it's cache ;-)
what I try to do to prevent caching is:

<meta http-equiv="Cache-Control" content="no-cache" /> <meta http-equiv="Pragma" content="no-cache" /> <meta http-equiv="Expires" content="0" />

in the header of my master template, but I didn't check with IE and have none around right now, I have also seen web-proxies caching my pages even with this header, guess that's their job
Actions
8. Re: Bug in Seam or Internet Explorer security hole?

misterloftcraft Dec 13, 2011 3:58 PM (in response to cash1981)

As long as the users can't access anything on your admin page and they are just viewing, well, it's not a big deal, but still, IE is acting weird as always. At some point I had to use a registry cleaner to fix all the problems that IE caused so... that says a lot about the quality of this browser.
Actions
9. Re: Bug in Seam or Internet Explorer security hole?

gebuh Dec 13, 2011 4:14 PM (in response to cash1981)

Not sure how pertinent this is, but I found that even with no-cache settings, if I didn't close all current browser windows, whatever existed before stuck around.
Actions

Go to original post