B.1 Data Security

Data items are passed from the Subscriber channel to the Publisher channel via a URL contained in the e-mail sent by the Subscriber channel. Changing certain data items in the URL represents a security threat. For example, if the responder-dn values in the URL supplied by the Subscriber channel in the URL are replaced by another user's DN in the URL submitted to the Publisher channel Web server, it would allow an unauthorized user to change data in eDirectory.

To ensure that the data in the submitted URL is the same as the data originally supplied by the Subscriber channel, protected data is provided. Protected data is data that cannot be changed for security reasons. This data varies by configuration but always includes the responder-dn data items, and data items corresponding to any eDirectory objects whose values are to be changed.

Data items are protected by encrypting the original values and placing the encrypted values into a URL query string. When the Publisher Web server receives the encrypted values, the Publisher decrypts the values and uses them to compare the unencrypted data items that are supplied by an HTTP GET or POST request.

If an instance of a data item appears in the encrypted data, then an unencrypted data item value must match one of the encrypted data item values. If the unencrypted data item value does not match one of the encrypted data item values, then the HTTP request is rejected by the Publisher channel Web server.

In addition, any HTTP POST request that does not contain protected data is rejected.

Example

In an HTTP POST request, the Publisher channel Web server uses the unencrypted POST data named responder-dn to check the password supplied by the POST data. This is done to authenticate the responding user against the user's eDirectory object.

Suppose the Subscriber channel <url-query> element content specifies two data items as follows:

<item name="responder-dn" protect="yes">\PERIN-TAO\novell\phb</item>
<item name="responder-dn" protect="yes">\PERIN-TAO\novell\carol</item>

The URL generated by the Subscriber channel will contain both responder-dn values in the protected data.

Suppose a malicious user obtains the URL that is generated and sent in an e-mail message. The malicious user uses the URL to obtain the HTML form that allows users to change data for an eDirectory object.

In the HTTP POST request that is submitted to the Web server, the malicious user uses his eDirectory DN (responder-dn=\PERIN-TAO\novell\wally) as the unencrypted responder-dn value. The malicious user also submits his own password in the POST data so that the authentication that the Web server performs will succeed.

However, when the Publisher channel Web server receives the HTTP POST data, it fails to find “\PERIN-TAO\novell\wally” in the encrypted protected data and rejects the POST request.