[Tickets #2565] Re: Gecko Bookmarks extension

bugs at bugs.horde.org bugs at bugs.horde.org
Thu Aug 16 16:59:48 UTC 2007 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=2565
-----------------------------------------------------------------------
 Ticket             | 2565
 Updated By         | joey at joeyhewitt.com
 Summary            | Gecko Bookmarks extension
 Queue              | Trean
 Type               | Enhancement
 State              | Feedback
 Priority           | 2. Medium
 Owners             | 
-----------------------------------------------------------------------


joey at joeyhewitt.com (2007-08-16 09:59) wrote:

Thanks for your feedback, and for pointing this out!

> I've committed the Trean part of the changes. I hesitate the commit 
> the jsonrpc implementation, though, because of security concerns. I 
> don't know if there is going to be an easy way to fix this, but I 
> don't think we can roll it out if it's possible to exploit.
>
> Here's the concern: if a user is using TreanMarks and is 
> authenticated, another website with malicious javascript code could 
> use XmlHttpRequest to POST jsonrpc requests to Horde without the user 
> knowing. This actually goes beyond Trean since the user's 
> authentication to Horde would be used; any API method would be 
> callable.

I'm sure you know more about this than I do.  But I'm not sure how it's
exploitable.  How is the extension being "logged in" any different from the
user being logged in to Horde?  Doesn't cross-domain security already
prevent a malicious site from doing this, whether the user himself is
logged in or the extension is?  I suppose code not subject to XHR security
checks (another extension) could make a POST, but such code has so much
control already that it seems futile to try to protect against it.

Regardless, you bring up some very good points.  We'll want to think it
through several times.

>
> My first thought of how to handle this is that instead of using HTTP 
> basic authentication, we need to have the jsonrpc backend use a real 
> session, with a session key stored in the extension and included in 
> requests as a POST parameter (like the Horde_Form token usage for 
> CSRF protection) for checking.

I'll need to learn how this is done, but I'm sure it wouldn't be too hard
to implement.

Thanks again.

More information about the bugs mailing list