Security: Does AJAX Callback Check Which Blocks are Returned?

Hi again,

I was looking through the JS code, specifically, the data that is returned regarding the user settings. When the block data makes it to the server, it looks like there's no check to make sure that the returned blocks are part of the default page. I could be wrong, but it looks like someone could modify the DOM with data about other blocks in the system, and have them returned.

I haven't checked yet - but it seems possible...

Comments

Comment #1

mstef commented 13 May 2010 at 14:12

Doesn't seem like you check to see if colors are allowed either...less of a security risk..

Log in or register to post comments

Comment #2

mstef commented 17 May 2010 at 16:55

See #794728: Re-engineering & Improving Home Box (Exportables, Performance, Features, etc)

Log in or register to post comments

Comment #3

mstef commented 22 May 2010 at 14:45

Version:	6.x-1.3	» 6.x-2.x-dev
Status:	Active	» Fixed

Log in or register to post comments

Comment #4

5 June 2010 at 14:50

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments