PD4ML v4 Forums PD4ML v3 Archived Forums (Read Only) General questions / FAQ Possible security hole in pd4ml

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • rkt
    #26311

    I’d like to discuss a possible security hole in pd4ml which can have devastating effect if pd4ml library is used in a specific way. I prefer not to list the bug/feature until pd4ml developers can comment on it.

    Our organization wants to use it but this particular bug is big enough that we will start looking for an alternative product if there is no way out. Since the customer list of pd4ml is available online, its possible that those who figure out this bug could misuse this feature/bug in unintentional way as well.

    Please respond to this thread or contact me by email at the earliest.

    thanks,
    Royans

    Application Services
    Ingenuity

    #27759

    Please contact support at pd4ml dot com and provide some more details.

    Thank you.

    #27760

    Dear Sirs,

    Can you tell the rest of us if your concerns have been dealt with?

    Thank you!

    #27761

    The issue is relevant only for scenarios, when you allow users to author, freely edit and save HTML templates on the server side. We find that as a bad practice in general.

    It makes teoretically possible to address undesired resources (for example, images) on the server side. Of course, the addressing possibilities are limited by permissions of the user account, the application server runs under.

    The most recent PD4ML betas implement a configuration parameter to limit the resource addressing scope.

    #27762

    Dea Sirs,

    Thank you for explaining. This is not an issue for us and most I would suspect.

Viewing 5 posts - 1 through 5 (of 5 total)

The forum ‘General questions / FAQ’ is closed to new topics and replies.