Security: Servoy can call an uninstalled module
Posted: Tue Nov 15, 2011 1:15 pm
I am not sure if this is a security risk or just an error, but I have a solution that contains two modules ES_Authenticator and ES_Security, plus the main solution. The content for the two modules is broadly based on a test solution I produced where the modules are called GM_Authenticate and GM_Login. These two are not installed as modules in the current solution which has been restarted several times.
When this script is called:
The branchlist variable returns an object and functions as if the modules (GM_Authenticate and GM_Login) were actually included with the solution.
SO my thoughts were is this a security problem where an un installed module can be called by a solution OR is this expected behaviour and should the Authenticator and Login process not actually be included in the main solution as modules ??
Cheers
Gordon
When this script is called:
- Code: Select all
var branchlist = security.authenticate('GM_authenticate', 'getBranches', [username])
The branchlist variable returns an object and functions as if the modules (GM_Authenticate and GM_Login) were actually included with the solution.
SO my thoughts were is this a security problem where an un installed module can be called by a solution OR is this expected behaviour and should the Authenticator and Login process not actually be included in the main solution as modules ??
Cheers
Gordon