Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
Think Security
filburt1
Join Date: Feb 2002
Posts: 6,144

Maryland, US
by filburt1 filburt1 is offline 02 Apr 2003

I can't believe how many people are credibly suggesting this.

Example: Let's say you don't want to allow unregistered members to view the smilies page. Your solution could be to use a conditional templates hack and just remove all references to that page for guests. However, anybody who knows the URL to the page can just load it himself.

That may sound trivial, but here's another example. Let's say you have a moderator area that allows mods to quickly prune posts in a given forum. You use the above method and the same problem: anybody could figure out the URL and do whatever they want.

So, in summary, always, no exceptions ever do permission checking both when displaying certain parts of a UI and when actually executing the user's request.
Views: 2073
Reply With Quote
Comments
  #2  
Old 02 Apr 2003, 22:04
JulianD's Avatar
JulianD JulianD is offline
 
Join Date: Jan 2002
Real name: Julian Muņoz
thanks for the tip filburt. It's always good to think about security.
__________________
Julian D. Muņoz
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 21:22.

Layout Options | Width: Wide Color: