Search This Blog

11 November 2010

AIF surprises with verbose responses...

The title could also be "AIF security whole", but I choosed the understatement ;-)

Using QueryCriteria to filter can result in returning all data it you do an error in your request. To describe this, lets take the standard AddressService and do a find request by using the FileSystemAdapter. Here's a correct requst example:

{DD112222-0306-1220-0001-DD33444455DD} DYNAMICS\Administrator Sample Contoso
Address Name Equal Sit*

Now the QueryCriteria does contain an error (I removed the CriteriaElement):

{DD112222-0306-1220-0001-DD33444455DD} DYNAMICS\Administrator Sample Contoso
Address Name Equal Sit*

Normally this cannot be validated because it is not conform to the schema
defined in the QueryCriteria.xsd. The QueryCriteria elemet riquires to have at least one CriteriaElement:




But instead of not validating the document of the request, AIF decides to return all data. This behavior can be reproduced on any standard or custom AIF document service.

It is very likely that the Aif-services do not validate incoming Xml messages (as it is configurable for outgoing messages!) for performance reasons, but it should be possible to configure this nevertheless.

No comments:

Post a Comment