adhocracy3 icon indicating copy to clipboard operation
adhocracy3 copied to clipboard
verified publisher icon liqd

Information leaking through web sockets

Open pallix opened this issue 9 years ago • 1 comments

While analysing potential security problems wrt. anonymity/pseudonymity, the following came to my mind:

Websockets can be used to be notified of the creation/change/removal of resources. Subscription can be done on any resources by the user, there is no permission check. The content of the resource is not sent, only the path.

This could be use to:

  • obtain meta-information about private processes such as the number of proposals created, the numbers of comments created etc.
  • know how many bplaene are created
  • in general, obtain meta-information on resources not accessible because of permission restrictions

pallix avatar Apr 20 '16 09:04 pallix

The root problem is the software architecture. The websocket server is an external service without authentication/authorization and not part of the pyramid backend. With this setup Its not possible to prevent information leaks for things that rely on the permission system.

joka avatar Apr 29 '16 10:04 joka