Possible security hole in pd4ml

#26311

I’d like to discuss a possible security hole in pd4ml which can have devastating effect if pd4ml library is used in a specific way. I prefer not to list the bug/feature until pd4ml developers can comment on it.

Our organization wants to use it but this particular bug is big enough that we will start looking for an alternative product if there is no way out. Since the customer list of pd4ml is available online, its possible that those who figure out this bug could misuse this feature/bug in unintentional way as well.

Please respond to this thread or contact me by email at the earliest.

thanks,
Royans

Application Services
Ingenuity

#27759

Please contact support at pd4ml dot com and provide some more details.

Thank you.

#27760

Dear Sirs,

Can you tell the rest of us if your concerns have been dealt with?

Thank you!

#27761

The issue is relevant only for scenarios, when you allow users to author, freely edit and save HTML templates on the server side. We find that as a bad practice in general.

It makes teoretically possible to address undesired resources (for example, images) on the server side. Of course, the addressing possibilities are limited by permissions of the user account, the application server runs under.

The most recent PD4ML betas implement a configuration parameter to limit the resource addressing scope.

#27762

Dea Sirs,

Thank you for explaining. This is not an issue for us and most I would suspect.

[Author]

Posts