Security Issue - RSS Functionality
Posted: Thu 21. Oct 2004, 13:01
V1.1 RC4 1 May 2004
I don't think this is critical but it may be important for some users so it may warrant an general alert...
I have just seen the menu heading, Category name & Title for an invisible and non-public part of my site revealed when an article within this section was made public. As a matter of policy, I beleive that security should follow the hieracrhy. Even headings can contain sensitive information.
Another example of a problem is where a private page is hidden but still available if you know the link. I don't beleive such pages should be reported by RSS because along with each summary comes a link to the item the author has hidden!
As a minimum, if a part of the structure is not visible and public then I don't beleive that any of the data relating to the structure (eg title, subtitle) should be included in the RSS feed.
If the rules are only to apply to the content then, if the content of the article is both visible and public but the structure is not then I think the title etc relating to the structure should be suppressed somehow.
Although it woudl be possible to make this configurable I cant imagine anyone wanting to report info by RSS that they have sought to hide.
James Savage
I don't think this is critical but it may be important for some users so it may warrant an general alert...
I have just seen the menu heading, Category name & Title for an invisible and non-public part of my site revealed when an article within this section was made public. As a matter of policy, I beleive that security should follow the hieracrhy. Even headings can contain sensitive information.
Another example of a problem is where a private page is hidden but still available if you know the link. I don't beleive such pages should be reported by RSS because along with each summary comes a link to the item the author has hidden!
As a minimum, if a part of the structure is not visible and public then I don't beleive that any of the data relating to the structure (eg title, subtitle) should be included in the RSS feed.
If the rules are only to apply to the content then, if the content of the article is both visible and public but the structure is not then I think the title etc relating to the structure should be suppressed somehow.
Although it woudl be possible to make this configurable I cant imagine anyone wanting to report info by RSS that they have sought to hide.
James Savage