[Tickets #2565] Re: Gecko Bookmarks extension
bugs at bugs.horde.org
bugs at bugs.horde.org
Thu Aug 16 17:32:16 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=2565
-----------------------------------------------------------------------
Ticket | 2565
Updated By | joey at joeyhewitt.com
Summary | Gecko Bookmarks extension
Queue | Trean
Type | Enhancement
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
joey at joeyhewitt.com (2007-08-16 10:32) wrote:
I remembered that the browser is caching the HTTP Basic credentials, which
is bad. I think I can prevent that. I'm hoping after the first call using
Basic auth, the cookie I get will be enough.
But I think I see now how it's exploitable. Couldn't someone
automatically submit a FORM with a POST to Horde, and the auth cookie would
attach to the request regardless of the domain of the POSTing site? I
guess they may not be able to do much with the response, but just sending
is enough to do nasty things.
So you're suggesting my extension holds a unique, opaque session key
(probably in addition to the cookie I already have) that isn't stored
anywhere in the browser proper?
Also, is this really specific to JSON-RPC, or is it something that could
be a problem with any of the RPC methods? Because on second thought, I
think JSON-RPC requests would be difficult to forge because XHR is probably
protected enough, and they can't be done by FORM that I know of, because
they aren't sent using the standard URL encoding form. They use a POST
Content-Type of 'application/json' or something, and the body is straight
JSON, not wrapped in URL &key=value form.
I hope it makes sense what I'm getting at here!
More information about the bugs
mailing list