|
-
dbEditAddROFlds security problem?
I've performed some security trials. In each simulated attach
1. I've written an asp page
2. I've called it into my browser
3. I've downloaded the produced html code to my desktop
4. I've modified some html tag (the action parameter, to make it to point to the original asp page
and, usually, some hidden form control)
5. I've called the modified html page into my browser
6. I've submitted the form
Then I expected AspDb to perform some security control before to apply my database updates.
In most cases I've been pleased with AspDb behaviour, but there have been two trials which alerted
me.
In this mail I would like to write about the first one (a problem I can easily overcome in my code,
but himo, a dangerous behaviour).
Here's the asp code (let's call this page dbEditAddROFldsSecurityExample.asp)
<%
Set X=Server.CreateObject("ASP.db"
X.dbUnit = 101
X.dbDSN="nwind"
X.dbSQL="Select EmployeeID,lastName , firstName , title from employees"
X.dbEditFlds="lastName,firstName,title[Sales Representative]"
X.dbEditAddROFlds="title"
X.dbEditParams = "TableName=Employees,BookMarkFlds=0"
X.dbStartUp="editAdd"
X.dbNavigationItem="bottom,add"
X.ASPdb
%>
I don't want the user to change the title field. But I, as a user, did it!
Let's look how I did it.
I've downloaded the produced add page html code, and I've got something like this:
<CENTER><h3>Add a new record</h3></CENTER>
<CENTER><FORM NAME=EDFORM_101
ACTION="/aspdb/trials/dbEditAddROFldsSecurityExample.asp#ASPDB_101" METHOD=POST >
<P><TABLE BGCOLOr=#ffffff cellspacing=5 border=0>
<TR><th BGCOLOR=#99CCFF>
<font color=#0000cc>Field</font></th><th BGCOLoR=#99CCFF >
<font color=#0000cc>New Record</font></th></TR>
<Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>LastName </font></th>
<TD align=left><INPUT name="LastName" TYPE=TEXT MAXLENGTH=20 SIZE=20 VALUE=''></TD></TR>
<Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>FirstName </font></th>
<TD align=left><INPUT name="FirstName" TYPE=TEXT MAXLENGTH=10 SIZE=10 VALUE=''></TD></TR>
<Tr><th align=right BGCOLoR=#99CCFF ><font color=#0000cc>Title </font></th>
<TD align=left>Sales Representative</TD>
<INPUT NAME="Title" TYPE=HIDDEN VALUE='Sales Representative'></TR>
<tr align=centeR><th valign=middle ROWSPAN=3 BGCOLoR=#99CCFF >
<A HREF="/aspdb/prove/sicurezzaDbEditAddROFlds.asp?aspDBBut_101=aspDBgoG rid::0">
<font color=#0000cc>Cancel</font></A> </th>
<td ROWSPAN=3 align=center valign=middle>
<INPUT TYPE=HIDDEN NAME=aspDBClick_101 VALUE=applyadd>
<INPUT TYPE=HIDDEN NAME=aspDBUnit VALUE='_101'>
<INPUT TYPE=Submit NAME=aspDBEditBut_101 VALUE='Add New Record'><br>
<INPUT TYPE=Reset VALUE='Reset'></Td></tr></TABLE></CENTER></FORM>
<A NAME=ASPDB_101> </A>
Then I've changed the ACTION attribute of the FORM element to something like
"http://glauco/trials/dbEditAddROFldsSecurityExample.asp#ASPDB_101"
and I've modified the VALUE attribute of the hidden INPUT element
named "Title" to 'Vice President, Sales'.
I called the obtained html file dbEditAddROFldsSecurityExample.htm and I put it on my desktop.
Then I loaded dbEditAddROFldsSecurityExample.htm into my browser, I inserted a dummy lastName
and a dummy name field values and submitted the form.
The new record was added, with the 'Vice President, Sales' title,
while I was hoping for either an error message or the default value added or something like this.
I've performed similar trials with the dbEditUpdateROFlds property, and it seems to work properly
(the added hidden field is not considered at all). AspDb worked well also when I tried, in a
similar way, to update a field not included in the dbEditFlds list.
On the contrary, I found dbEditDropFlds not to be so good, from the point of view of security, but
I'm going to write a dedicated mail to this subject.
I hope I'm missing something, and there is a simple solution to theese apparent problems.
Thanks in advance for any hint.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote