[Geoserver-devel] Call for review GEOS-5921

The issue is here

https://jira.codehaus.org/browse/GEOS-5921#comment-329355

The patch is here

https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7

The patch contains only a few lines, but it is a hack. As a consequence, a review would be nice.

@Justin, I think this class was invented by you.

Thanks to reviewer :slight_smile:

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi,

I look at your code and are a little bit concerned about the solution for Login-page itself.
Wouldn’t it be easy to include “org.geoserver.web.GeoServerLoginPage” as a part of the queryString in any url?
In that way this hack would be a fairly decent security hole.

Regards,

Roar Brænden

···

2013/7/23 Christian Mueller <christian.mueller@anonymised.com>

The issue is here

https://jira.codehaus.org/browse/GEOS-5921#comment-329355

The patch is here

https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7

The patch contains only a few lines, but it is a hack. As a consequence, a review would be nice.

@Justin, I think this class was invented by you.

Thanks to reviewer :slight_smile:

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Yep, this is an argument. The URL path is

http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false

Some improvments:

Changing the ant pattern to “/web/” instead of “/web/**”

Check that the number of parameters is 2

Check that wicket:bookmarkablePage exists and has the value :org.geoserver.web.GeoServerLoginPage

Check that error parameter exists and has the value false or true.

I will check this and update the patch.

Christian

···

2013/7/24 Roar Brænden <roar.brenden.no@anonymised.com>

Hi,

I look at your code and are a little bit concerned about the solution for Login-page itself.
Wouldn’t it be easy to include “org.geoserver.web.GeoServerLoginPage” as a part of the queryString in any url?
In that way this hack would be a fairly decent security hole.

Regards,

Roar Brænden

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/7/23 Christian Mueller <christian.mueller@anonymised.com>

The issue is here

https://jira.codehaus.org/browse/GEOS-5921#comment-329355

The patch is here

https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7

The patch contains only a few lines, but it is a hack. As a consequence, a review would be nice.

@Justin, I think this class was invented by you.

Thanks to reviewer :slight_smile:

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Done, please review at

https://github.com/mcrmcr/geoserver-1/commit/7306ceaf1a9fc98ba4c8b00d733ee7bf9bfce0aa

···

2013/7/24 Christian Mueller <christian.mueller@anonymised.com>

Yep, this is an argument. The URL path is

http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false

Some improvments:

Changing the ant pattern to “/web/” instead of “/web/**”

Check that the number of parameters is 2

Check that wicket:bookmarkablePage exists and has the value :org.geoserver.web.GeoServerLoginPage

Check that error parameter exists and has the value false or true.

I will check this and update the patch.

Christian

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/7/24 Roar Brænden <roar.brenden.no@anonymised.com>

Hi,

I look at your code and are a little bit concerned about the solution for Login-page itself.
Wouldn’t it be easy to include “org.geoserver.web.GeoServerLoginPage” as a part of the queryString in any url?
In that way this hack would be a fairly decent security hole.

Regards,

Roar Brænden

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/7/23 Christian Mueller <christian.mueller@anonymised.com>

The issue is here

https://jira.codehaus.org/browse/GEOS-5921#comment-329355

The patch is here

https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7

The patch contains only a few lines, but it is a hack. As a consequence, a review would be nice.

@Justin, I think this class was invented by you.

Thanks to reviewer :slight_smile:

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

I think this solution would be enough to close the security hole.

···

2013/7/24 Christian Mueller <christian.mueller@anonymised.com>

Done, please review at

https://github.com/mcrmcr/geoserver-1/commit/7306ceaf1a9fc98ba4c8b00d733ee7bf9bfce0aa

2013/7/24 Christian Mueller <christian.mueller@anonymised.com>

Yep, this is an argument. The URL path is

http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false

Some improvments:

Changing the ant pattern to “/web/” instead of “/web/**”

Check that the number of parameters is 2

Check that wicket:bookmarkablePage exists and has the value :org.geoserver.web.GeoServerLoginPage

Check that error parameter exists and has the value false or true.

I will check this and update the patch.

Christian

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/7/24 Roar Brænden <roar.brenden.no@anonymised.com>

Hi,

I look at your code and are a little bit concerned about the solution for Login-page itself.
Wouldn’t it be easy to include “org.geoserver.web.GeoServerLoginPage” as a part of the queryString in any url?
In that way this hack would be a fairly decent security hole.

Regards,

Roar Brænden

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/7/23 Christian Mueller <christian.mueller@anonymised.com>

The issue is here

https://jira.codehaus.org/browse/GEOS-5921#comment-329355

The patch is here

https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7

The patch contains only a few lines, but it is a hack. As a consequence, a review would be nice.

@Justin, I think this class was invented by you.

Thanks to reviewer :slight_smile:

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel