[Architecture] Serious security hole in BAM data service
Afkham Azeez
azeez at wso2.com
Tue Sep 1 04:43:43 EDT 2009
Also,
org.wso2.carbon.bam.listservice.services.BAMListAdminService is only a
hiddenService not an adminService. Hidden services are not secured!
So, again, looks like another sec hole. Dumindu, any particular reason
to make that only a hiddenService.
Azeez
On Tue, Sep 1, 2009 at 8:31 AM, Afkham Azeez<azeez at wso2.com> wrote:
> Folks,
> Our admin services are secured using the "adminService" parameter in
> the services.xml file. Fortunately, until now, all admin services were
> AARs. Hence there were associated services.xml files. The BAM data
> service is the first DS admin service. Since there is no way to
> associate services.xml files with other types of services, we cannot
> add that parameter. So, anybody out there can call this service.
>
> The only workaround I can think of is to introduce a BAM deployment
> interceptor, which will check for BAM service deployment &
> programmatically add the "adminService" param. Dumindu, can you look
> into this ASAP and fix this before we do the final build today at 5pm?
>
> --
> --
> Afkham Azeez
> azeez at wso2.com
> WSO2 Inc. http://wso2.com
> Blog: http://afkham.org
>
--
--
Afkham Azeez
azeez at wso2.com
WSO2 Inc. http://wso2.com
Blog: http://afkham.org
More information about the Architecture
mailing list