How To: Configure permissions in Out-of-the-box MOSS 2007 Approval Workflow such that “Approvers” cannot edit or delete the item to be approved

1. Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval System”. Certain users will be “Editors” and they will be able to upload documents for approval. Another set of users will be “Approvers”. These users can either approve or reject the uploaded documents. The security requirement is that…

3

Catch the Security Flaw #3

Quite a few web applications encrypt query string values. This is generally done as an added measure to prevent unauthorized access. Since the end user cannot chose a value and then encrypt it, changing parameters becomes difficult. But encryption is not a panacea. See if you can spot this bug. The code behind file looks…

8

Common Authorization flaw in Web Applications: Why disabling buttons (or other controls) is not enough?

I have seen quite a few web applications that rely on disabling controls for authorization. Consider this code:- The scenario may be that the page has to be displayed in a read-only manner for certain roles, or after submission of some details but prior to approval (in a workflow). This reason depends on the business…

2

Common Authorization Vulnerability in Thick Client applications

Consider the following architecture for an intranet application. A thick client installed on the user’s machine connects to a web service which in turn connects to the database. The web service authenticates the caller using windows authentication. It connects to the SQL Server using a fixed identity.     The vulnerability occurs if authorization controls are…

0