2. ASPRunnerPro General questions
  3. Security problem with edit and GET method
This topic is locked

Security problem with edit and GET method

 		1/6/2006 8:53:47 AM
ASPRunnerPro General questions
Pfeiffer author

Hello,

your example on Internet shows one severe problem with the edit and get method ASP Runner is using.
In the Table Orders Details (DEMO 2) I'm not allowed to change the ID 42. In the table view the edit-link is not visible. This is a copy of the view window. So far so good.
Table: Order Details, Datensatzanzeige [ProductID: 42]
--------------------------------------------------------------------------------
Zurück zur Liste
OrderID 10248

Product Singaporean Hokkien Fried Mee

UnitPrice $9.80

Quantity 10

Discount 0.00

UserID 1

Zurück zur Liste
=================================================================
If I now manipulate the explorer task-string it's no problem to do this.

I only changed editid=42 and I'm now suddenly allowed to change the record.
http://www.xlinesoft.com/asprunnerpro/live...view&masterkey=
It's some month ago that I showed you this problem.

I think only POST method can prevent this manipulation.
As long as this problem is no solved I cannot use this version on web servers or

do I misunderstand ASPRunner ?
Best regards

Uwe Pfeiffer
Sergey Kornilov admin 1/6/2006

Uwe,
ASPRunnerPro do not have any known permissions issues at this moment.

Let me explain this to you one more time.
When you change EditID to 42 it builds the following SQL query:

select [ProductID], [UserID], [OrderID], [UnitPrice], [Quantity], [Discount] From [Order Details] where [ProductID]=42 and ([UserID]=2)
Since this user order product 42 several times this query returns some record. You may note that when you modify editid and click enter it pulls product from different order.
"Order details" is just a bad example of permissions usage.
To see how it works in reality check Users table. Click to edit user number 2. Manually change EditID to 1 and click "Go". It pulls no data because User number 2 cannot see and edit User number 1 data.
I hope this explains what's happening.
Pfeiffer author 1/6/2006

That's write
but you assume that a user is only allowed to edit his own records and you prevent edit

for records of other users.
Very often MANY users have the permission to edit any record in the database.

Only because of special circumstances (for exampe you are not allowed to

change a bill record which is already payed) I suppress the edit link. Of course I changed the

template for that purpose.
But by changing the explorer link the user can go around it and change the record although in

table view edit is suppressed.
Best regards

Uwe Pfeiffer
Sergey Kornilov admin 1/6/2006

I see what you saying.
When you mix your own logic with ASPRunnerPro security model all bad things can happen.

I have to tell you that POST method won't help you in this situation because it's very easy to imitate POST call changing form variables.
If you use some logic to hide Edit button you have to apply the same logic on the Edit page itself. In this case you can prevent unauthorized access.
I hope this makes sense.