[Tickets #2565] Re: Gecko Bookmarks extension

bugs at bugs.horde.org bugs at bugs.horde.org
Thu Aug 16 16:29:56 UTC 2007


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=2565
-----------------------------------------------------------------------
 Ticket             | 2565
 Updated By         | Chuck Hagenbuch <chuck at horde.org>
 Summary            | Gecko Bookmarks extension
 Queue              | Trean
 Type               | Enhancement
 State              | Feedback
 Priority           | 2. Medium
 Owners             | 
-----------------------------------------------------------------------


Chuck Hagenbuch <chuck at horde.org> (2007-08-16 09:29) wrote:

I've committed the Trean part of the changes. I hesitate the commit the
jsonrpc implementation, though, because of security concerns. I don't know
if there is going to be an easy way to fix this, but I don't think we can
roll it out if it's possible to exploit.

Here's the concern: if a user is using TreanMarks and is authenticated,
another website with malicious javascript code could use XmlHttpRequest to
POST jsonrpc requests to Horde without the user knowing. This actually goes
beyond Trean since the user's authentication to Horde would be used; any
API method would be callable.

My first thought of how to handle this is that instead of using HTTP basic
authentication, we need to have the jsonrpc backend use a real session,
with a session key stored in the extension and included in requests as a
POST parameter (like the Horde_Form token usage for CSRF protection) for
checking.

Thoughts?



More information about the bugs mailing list