Support #4086
Support #2696: security review
review the RemoteObject exports in StandardServer and other common runtime classes for security implications
Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:
0%
billable:
No
vendor_id:
GCD
case_num:
version:
Related issues
History
#1 Updated by Greg Shah almost 5 years ago
Although our exported APIs in the DAP do have security checking for access purposes, in practice I think we may be exposing too much in the use of our RemoteObject
approach to export services by default in FWD. In the standard configuration (usually inherited from one of the Hotel templates), I think all users (in the default bogus
FWD account) can access everything that is exported.
We need to:
- review the state of security for all of our exported services
- determine if any security improvements/new features are needed
- determine what configuration changes are needed to better lock down the default configuration
- make a list of any other security related issues found
#2 Updated by Greg Shah about 3 years ago
- Parent task set to #2696
#3 Updated by Greg Shah about 3 years ago
- Related to Bug #5035: Temp-Table index on P.L.O field added
#4 Updated by Greg Shah about 3 years ago
Please check all external API mechanisms (appserver replacement, webspeed/web handler, REST, SOAP and the embedded driver up-calls) to identify any security issues. One example is whether simple incrementing handle
IDs can be exploited via these APIs (see #5035-19 and the following discussion).