Mura CMS vulnerability – might apply to your cfWheels app

Just a head’s up:
This recent Mura CMS issue is something which could possibly apply to a wheels app:

http://www.trunkful.com/index.cfm/2014/1/29/Mura-CMS-Vulnerability

I’m not referring to the file manager upload bit (although that could possibly apply), but the role escalation. That is, rewriting POST variables and resubmitting in order to gain admin privs.

Ask yourself, “do I have a public user account creation form” – if not, and user creation is always by an admin level user to start with (and that the user controller is sufficiently locked down), you’re probably fine.

But if you have a user creation form which is publicly accessible,  have you used cfWheels protected properties for the ‘role’ field, or something like ‘isAdmin’ field?

Have a think how but submitting a custom POST request, but simply changing role=”admin” could affect your application. I know I’ve been guilty of this in the past! One quick solution if you don’t want to go down the protected properties route is to separate out your role functions into a separate view/function, which can then do specific checks, and in the user account creation, overwrite any role value passed in with a sensible default.

There’s more on this here – https://groups.google.com/forum/?fromgroups#!searchin/cfwheels/mass$20assignment/cfwheels/bOQo9-CHJlA/xtAVjcvzNMgJ 

This isn’t an issue with wheels per se, just a very common coding practice which can potentially leave a hole open to attack!

RSS2 & iCal for RoomBooking System

Since Jan 2014, RSS2 and iCal have been added – these are a bit experimental – would appreciate feedback!

Each user can have a unique key generated for them by an administrator (it’s not there by default);
Once an API key is available for that user, and their role allows it, they should be able to access /api/ which will display a list of available feeds.

Feeds are ‘All’ (i.e all locations) and then split down by location, so you could have RSS for a specific location if you wanted.

Note that after creating an API key for that user, the user will need to login/out again to be able to use it, but should then see “Data Feeds” as a menu option on the Events drop down. Once they’ve got the URL with the token, that will then bypass the authentication, so you can get read access to the upcoming events.