CheckBox Security Issue

[Gustavo Crespo]

Hi Community,

I have found that it is possible to change the value of type checkbox control, even when it is enabled only read mode, when the "Developer Tools" on the browser is enabled and the attribute disabled is removed.

I've replicated on test.idempiere.org entering as SuperUser (Business Group System) and window, tab and field (window: Bank / Cash tab: Bank / Cash, field: Active), I modified the Active field as read-only and then I entered as GardenAdmin (Role: Admin Gardenworld) effectively read-only field appears, but after enabling the "Developer Tools" and remove the disabled attribute, you can change the value and save these new values.

Any help would be appreciate.

Thanks in advance.

[Andy Conn]

I am new to iDempiere development but if this scenario is true it is quite concerning. It implies that the server takes for granted the validity of the data provided by the client. This is not a sound and secure approach. The web UI (and data) can easily be manipulated by anyone slightly familiar with developer mode. Is this true that the server does not validate the client supplied data against the rules (e.g. read-only) defined in the AD?

[Hiep Lq]

Hi Gustavo Crespo.

if you consider it's security issue. we have a process for it report vulnerability

anyway, thanks a lot by report it.

Hi Andy Conn, for validate data, we have dynamic validation rule beside other method to validation.

Read-only at web app or ever at desktop app shouldn't become a validate (in desktop you still can edit a read only field by send message)

Change and save value at read-only field is acceptable at some case. 

example: I design a ready-only field, but it can change value by click a button to show a form for edit value, after that save changed value.

back to idempiere. like other systems, it have issues but issues can't destroy idempiere.

--
You received this message because you are subscribed to the Google Groups "iDempiere" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idempiere+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/0ab02778-ce0c-4298-bf13-63473b1399e4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Lê Quý Hiệp
Email: hie...@hasuvimex.vn
Skype: admin.hasuvimex

Company: Thanh Hoa Fishery Import - Export J.s.c  (Hasuvimex) DL 47

Add: Lot E, Le Mon Industrial Zone, Thanh Hoa, Vietnam

[Gustavo Crespo]

Hi Hiep Lq

Thank you very much, I'll report it as you indicate.

Greetings.

El jueves, 13 de octubre de 2016, 11:58:39 (UTC-5), Hiep Lq escribió:

Hi Gustavo Crespo.

if you consider it's security issue. we have a process for it report vulnerability

anyway, thanks a lot by report it.

Hi Andy Conn, for validate data, we have dynamic validation rule beside other method to validation.

Read-only at web app or ever at desktop app shouldn't become a validate (in desktop you still can edit a read only field by send message)

Change and save value at read-only field is acceptable at some case. 

example: I design a ready-only field, but it can change value by click a button to show a form for edit value, after that save changed value.

back to idempiere. like other systems, it have issues but issues can't destroy idempiere.

On Thu, Oct 13, 2016 at 10:38 PM, Andy Conn <andy...@gmail.com> wrote:

I am new to iDempiere development but if this scenario is true it is quite concerning. It implies that the server takes for granted the validity of the data provided by the client. This is not a sound and secure approach. The web UI (and data) can easily be manipulated by anyone slightly familiar with developer mode. Is this true that the server does not validate the client supplied data against the rules (e.g. read-only) defined in the AD?

On Tuesday, October 11, 2016 at 12:05:10 PM UTC-4, Gustavo Crespo wrote:

Hi Community,

I have found that it is possible to change the value of type checkbox control, even when it is enabled only read mode, when the "Developer Tools" on the browser is enabled and the attribute disabled is removed.

I've replicated on test.idempiere.org entering as SuperUser (Business Group System) and window, tab and field (window: Bank / Cash tab: Bank / Cash, field: Active), I modified the Active field as read-only and then I entered as GardenAdmin (Role: Admin Gardenworld) effectively read-only field appears, but after enabling the "Developer Tools" and remove the disabled attribute, you can change the value and save these new values.

Any help would be appreciate.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "iDempiere" group.

To unsubscribe from this group and stop receiving emails from it, send an email to idempiere+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/0ab02778-ce0c-4298-bf13-63473b1399e4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Andy Conn]

Ok Hiep, thanks for the reply :)

On Thursday, October 13, 2016 at 12:58:39 PM UTC-4, Hiep Lq wrote:

Hi Gustavo Crespo.

if you consider it's security issue. we have a process for it report vulnerability

anyway, thanks a lot by report it.

Hi Andy Conn, for validate data, we have dynamic validation rule beside other method to validation.

Read-only at web app or ever at desktop app shouldn't become a validate (in desktop you still can edit a read only field by send message)

Change and save value at read-only field is acceptable at some case. 

example: I design a ready-only field, but it can change value by click a button to show a form for edit value, after that save changed value.

back to idempiere. like other systems, it have issues but issues can't destroy idempiere.

On Thu, Oct 13, 2016 at 10:38 PM, Andy Conn <andy...@gmail.com> wrote:

I am new to iDempiere development but if this scenario is true it is quite concerning. It implies that the server takes for granted the validity of the data provided by the client. This is not a sound and secure approach. The web UI (and data) can easily be manipulated by anyone slightly familiar with developer mode. Is this true that the server does not validate the client supplied data against the rules (e.g. read-only) defined in the AD?

On Tuesday, October 11, 2016 at 12:05:10 PM UTC-4, Gustavo Crespo wrote:

Hi Community,

I have found that it is possible to change the value of type checkbox control, even when it is enabled only read mode, when the "Developer Tools" on the browser is enabled and the attribute disabled is removed.

I've replicated on test.idempiere.org entering as SuperUser (Business Group System) and window, tab and field (window: Bank / Cash tab: Bank / Cash, field: Active), I modified the Active field as read-only and then I entered as GardenAdmin (Role: Admin Gardenworld) effectively read-only field appears, but after enabling the "Developer Tools" and remove the disabled attribute, you can change the value and save these new values.

Any help would be appreciate.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "iDempiere" group.

To unsubscribe from this group and stop receiving emails from it, send an email to idempiere+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/0ab02778-ce0c-4298-bf13-63473b1399e4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Carlos Antonio Ruiz Gómez]

xref - solved by Hiep -> https://idempiere.atlassian.net/browse/IDEMPIERE-3220