Interesting (Real world) Security Issue

I found an interesting security bug today in some code at a client's site. (And unlike some other security holes, this was is real.) The problem was that the logon system was letting people in if they had an invalid logon. Users were correctly blocked at first, but as soon as they had an invalid logon, and then reloaded, they were let in. Why? Consider this code and make a guess before I show the answer:

<CFIF NOT ISDefined("Session.ProLoginOK")> <CFLOCATION URL="login/login.cfm" ADDTOKEN="No"> <CFELSEIF Session.ProLoginOK IS ""> <CFLOCATION URL="login/login.cfm" ADDTOKEN="No"> </CFIF>

Figured it out? On an invalid login, the code set session.prologinok to "No". Since "No" defined the variable, and wasn't "", there was no forced logon template run.

Something to watch out for in your own code!

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA