|
-
dbEditDropFlds security problem?
Here's a second example of (possible) security problem. If it is as it seems to me, it
is worse then the dbEditAddROFlds security problem I've written about in the other mail,
because it would be heavier to add self made security checks on each page, for this
kind of problem.
Consider this simple asp page (let's call it dbEditDropFldsSecurityExample.asp):
<%
Set MyDb = Server.CreateObject("ASP.db" ' Create the ASP-db object
MyDb.dbUnit = 100
MyDb.dbDSN = "nwind"
MyDb.dbSQL = "SELECT EmployeeID, LastName, FirstName, Title, ReportsTo FROM Employees"
MyDb.dbFormDisplayFlds = "-1"
MyDb.dbNavigationItem = "Update"
MyDb.dbEditParams = "TableName=Employees, BookMarkFlds=0"
MyDb.dbEditFlds = "LastName,FirstName,Title,ReportsTo"
MyDb.dbEditDropFlds = "(;|)ReportsTo||||SELECT EmployeeID, FirstName & ' ' & " &_
"LastName AS Name FROM Employees where lastName='Fuller' or lastName='Buchanan'"
MyDb.ASPdb ' Display it!
%>
I don't want the user to select a ReportsTo field value other then 2 or 5, the EmployeeIds of
Fuller and Buchanan respectively. But, as a user, I did it!
Let's look how I did it.
I've called dbEditDropFldsSecurityExample.asp in my browser. Then I chose the UPDATE link.
I've downloaded the produced update page html code, and I've got something like this:
<Center><h3>Update current record</h3></Center>
<CENTER><FORM NAME=EDFORM_100 ACTION="/aspdb/trials/dbEditDropFldsSecurityExample.asp#ASPDB_100" METHOD=POST >
<P><TABLE BGCOLOr=#ffffff cellspacing=5 border=0>
<TR><th BGCOLOR=#99CCFF><font color=#0000cc>Field</font></th><th BGCOLoR=#99CCFF >
<font color=#0000cc>Current Record</font></th></TR>
<Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>LastName </font></th>
<TD align=left><INPUT NAME="LastName" TYPE=TEXT MAXLENGTH=20 SIZE=20 VALUE='Davolio'></TD></TR>
<Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>FirstName </font></th>
<TD align=left><INPUT NAME="FirstName" TYPE=TEXT MAXLENGTH=10 SIZE=10 VALUE='Nancy'></TD></TR>
<Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>Title </font></th>
<TD align=left><INPUT NAME="Title" TYPE=TEXT MAXLENGTH=30 SIZE=25 VALUE='Sales Representative'>
</TD></TR><Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>ReportsTo </font></th>
<TD align=left>
<SELECT name="ReportsTo">
<option value=''> </option>
<option SELECTED value='2'>Andrew Fuller</option>
<option value='5'>Steven Buchanan</option>
</select>
</TD></TR><tr align=centeR><th valign=middle ROWSPAN=3 BGCOLoR=#99CCFF >
<A HREF="/aspdb/prove/sicurezzaDbEditDropFlds.asp?aspDBBut_100=aspDBgoFo rm::0">
<font color=#0000cc>Cancel</font></A> <BR>
<A HREF="/aspdb/prove/sicurezzaDbEditDropFlds.asp?aspDBBut_100=aspDBEdit Drop">
<font color=#0000cc>DropDown ?</font></A></th>
<td ROWSPAN=3 align=center valign=middle>
<INPUT TYPE=Submit NAME=aspDBEditBut_100 VALUE='Update Current Record'>
<INPUT TYPE=HIDDEN NAME=aspDBClick_100 VALUE=applyupdate>
<INPUT TYPE=HIDDEN NAME=aspDBUnit VALUE='_100'><br>
<INPUT TYPE=Reset VALUE='Reset'></Td></tr></TABLE></CENTER><br>
<center><font size=-1>Record Update/Delete Criteria : EmployeeID = 1</font></center>
<BR></FORM><A NAME=ASPDB_100> </A>
Then I've changed the ACTION attribute of the FORM element to something like
"http://glauco/trials/dbEditDropFldsSecurityExample.asp#ASPDB_101".
Furthermore, I've added the following OPTION element, to the SELECT content:
<option value='7'>Robert King</option>.
I called the obtained html file dbEditDropFldsSecurityExample.htm and I put it on my desktop.
Then I loaded dbEditDropFldsSecurityExample.htm into my browser and I chose the 'Robert King'
option from the drop down list.
The 'Davolio' record ReportsTo field was updated to 7 (!)
while I was hoping for either an error message or something like this.
Please, give me an answer to such security issue. I'm going to deploy AspDb for a
B2B portal, and I need such security controls: for example, I don't want a company employed to
be able to change attributes of a different company product 
Thanks in advance.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote