MTAS Security Cockups
Who is running this? I mean… really.
First off, the MTAS system has a URL that is unsecured. I can see where someone came from with this. If no-one knows the page name, they aren’t going to get in. Of course, that loses things like login audit information and also takes a chance that someone isn’t going to guess the page name. As a project manager, if a programmer came to me with this solution for my whelk stall product catalogue, I’d be telling them to put proper authentication in place.
But then, it turns out that if you pick the right URL, you can go straight in and read mails. From what I’ve read, it sounds like some user information is in the URL (like maybe mail.php?userid=1234). Change the userid in that, and you go straight to someone’s mailbox. So, someone could work it out without guessing. This is something that I count in primary testing of an application. That at the point of presenting a page, not only is the user logged in, but that on each page, the key information is checked against the users credentials to ensure that they can only see what is theirs. That applies whether it’s being passed by a query string (which I avoid precisely because it gives clues) or by form data.
This system is a shambles, and I doubt that it cost the taxpayer what it would cost me to build it with a couple of junior programmers.
RSS
Tim, I always feel such an idiot with your posts. Are you referring to the junior doctor thing here?
James,
Yes. It’s probably quite a technical post, to be honest.
It’s more of something for any junior programmers reading about protecting your data.