0 Replies Latest reply on Mar 15, 2009 11:58 PM by Stuart Douglas

    Security Vulnerability in booking example

    Stuart Douglas Master

      It is possible to leak details (real name and username) of a previously logged in user to an un-authenticated user in the booking example. This
      is because the 'user' field on the SLSB authenticator is not cleared on every log in attempt.

      If an unauthenticated user gets a previously used SLSB then the 'user' field will already be set to another users details, and if their login attempt fails then the other users details will be outjected to the session. If this user then clicks the 'create account' button the username and real name fields will be pre-filled with the other users details.

      This of course depends on the SLSB pooling mechanism used by the AS, however it is easy to reproduce and it is possible to pull peoples details out of the demo hosted at exadel.com.

      People that use SLSB's as authenticators should check their code to make sure they are not affected by the problem. Also anywhere that uses SLSB's and outjection is vulnerable to similar problems unless the outjected field is set to a specific value every time.

      A framework wide approach to this problem would be to nullify all outjected fields on SLSB's after method invocation.