NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: Alberto on May 13, 2017, 10:20:50 AM

Title: ntd.push and $post in js creates vulnerability?
Post by: Alberto on May 13, 2017, 10:20:50 AM

Hi,
Im using ntd.push in a js to open a form and $post to set session variables in nt depending on js events, like:

// post to inform the NT form which date/time the user clicks on the js
$.post("FullCalendarForm?datenow="+ (moment(date).format()) + "&viewnow=" + view.name);
// push to open the NT form knowing how to prime date and time
ntd.push('CalendarAppointment','','Calendar Entry Form',1,1,null,'FullCalendarForm',"+event.id+",'',0,'','','','btnCal','','');

//post to change date/time when a user drags and drop an event
$.post("FullCalendarForm?newstartdatetime="+ (moment(event.start).format()) + "&IdEvent=" + event.id);

Is there any vulnerability on it?
Anything a user can do knowing the js code?

How to prevent a user to post
FullCalendarForm?newstartdatetime="1800-01-01T12:00:00"&IdEvent=111
and destroy the 111 event record?

Thanks

Title: Re: ntd.push and $post in js creates vulnerability?
Post by: Alberto on May 17, 2017, 04:31:20 AM

Bruce? any help?

Title: Re: ntd.push and $post in js creates vulnerability?
Post by: Bruce on May 17, 2017, 10:24:57 PM

Hi Alberto,

It's impossible to comment because security is a complex topic, which requires understanding of what you are doing and how an attack might occur. So it's not something that can be determined by looking at a little bit of code like this in isolation.

>> How to prevent a user to postFullCalendarForm?newstartdatetime="1800-01-01T12:00:00"&IdEvent=111 and destroy the 111 event record?

Generally speaking, I use the GetBrowseValue system to create indirection in the ID's so that ID's are not numeric and can't be guessed like this. That's why you'll see on a browse for example the row ID is a random string, not the primary key value. In the same way you could identify your data in the widget, when sending data to it, in the same way.

Aside: one of the benefits of using GUIDs over Auto Numbering is that ID's cannot be guessed. If you are building web apps then this is a good thing to do. If you are using Auto Numbering then you run a risk that numbers can be guessed. Even if indirection is in play.

Bruce

Title: Re: ntd.push and $post in js creates vulnerability?
Post by: Alberto on May 18, 2017, 05:30:51 AM

Thanks Bruce,

I know how to make the _bdiv_ with GetBrowseValue
Then I can send the IdEvent like this
But how do I decifer it in the popup form for it to open the record?

Thanks

Title: Re: ntd.push and $post in js creates vulnerability?
Post by: Alberto on May 20, 2017, 04:17:56 AM

No way,
I realized that nt.pop sends exactly what you set in the row param using _bidv_
First Im sendig the rowid, so in the form p_web.getvalue('_bidv_) is exactly the rowid
So I think if bidv is a numbre you assume is the row nr an if tis no you asume _bidv_ is made with GetBrowseValue
Then I send the EventId using GetBrowseValue but... the fullcalendar.js stop working
I dont know why, may be it does not like the characters sent to the eventid field

May be very usefull to know how GetBrowseValue and _bidv_ works in the form.

I solve this encripting the row id, convert it to base64 and send it as eventid
Then in the form I get the _bidv_ decript it and set again the new _bidv_ value

Its working but I dont know where to put this routin to modify the _bidv_

Regards