FIXprotocol.org website is missing some security checks, its vulnerable to Internet attack.
Mahesh Kumaraguru / Polaris software labs <>
27 Oct 2005 11:46PM ETHello FIXprotocol.org Website Administrators,
In my opinion, the fixprotocol.org website is missing some basic security checks / validations when messages are being posted.
A message can be posted to this website without logging in. The following URLs are examples :-
http://fixprotocol.org/discuss/read/ee328723
I repeated to check for myself if this works again
Step 1) Entered URL in browser
http://fixprotocol.org/discuss/post/345
( forum 345 does not exist in fixprotocol.org )
The post message web form is displayed.
Step 2) Enter some charaters in Subject and message body, click on post message. It gets posted to an unlabeled forum - an unreachable webpage is created.
http://fixprotocol.org/discuss/save/4b1d69ac
http://fixprotocol.org/discuss/read/4b1d69ac
This vulnerability can be exploited in an internet "Distibuted Denial of Service Attack" - Using a internet client application which generates http get and post messages to fixprotocol.org website and keep sending junk data continuously, jam the web server with large number of crap messages. Since I am a J2EE architect, I know how it can be done using Java client side program though I do NOT intend to do something crazy like that :-)
Request you to kindly take a look at this issue.
In my opinion, adding Login status check at the time of accepting message posting would solve the problem. Additionally, good user interface design principles would require a "Page Not Found" error be returned to the browser if a requested discussion forum is not found. These would make FIXprotocol.org website more secure / robust.
Regards,
K. Mahesh
+1-203-252-4039
