Can deploying a new plug-in to a CRM project results in a new vulnerability?
-
יום רביעי 14 מרץ 2012 13:30
Hello,
Can deploying a new plug-in to a CRM project results in a new vulnerability?
Regards,
Ahmed Anas
כל התגובות
-
יום רביעי 14 מרץ 2012 13:40
That depends entirely on what kind of plugin you are deploying. As a general rule plugins registered in the sandbox have less potential for damage because the only have limited access to resources (e.g. you cannot access the database).
If you for example create a plugin which performs some actions on the database based on fields in an entity there is the posibility for an SQL injection. Changes for a vulnerability are a lot less if you have a plugin which only sets a default value on a field.
Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com -
יום חמישי 15 מרץ 2012 11:33
Many thanks Patrick four you appreciated help.
Well, what about the possibility of XSS attacks based on the inputs? is it possible, or all inputs to the system and outputs are sanitized by default? also is there another scenarios like the SQLi one?
Thank you again,
Ahmed Anas
-
יום חמישי 15 מרץ 2012 11:43
XXS is an interesting one. On the standard CRM forms XXS should not be an issue, CRM has build in checks to prevent fields contents from being executed so some sanatizing is happening. However there are some areas where from example a text field containing javascript could be executed, the only ones I can think of are components you would create your self i.e. a web resource which displays the text from a CRM record. So you would have to sanatize the data you use if you create your own webresource specifically html, js and silverlight.
XXS does not really apply to plugins as these execute C# and you would have to explicity create the plugin to execute CRM data as code. Running in the CRM sandbox makes this completely impossible as this does not allow any refelection or dynamic code.
SQL injection is only a problem if you connect to the database your self. If you perform all operations using IOrganizationService SQL Injection is impossible, assuming there are no vulnerabilities in CRM itself.
Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com- סומן כתשובה על-ידי DavidJennawayMVP, Moderator יום שני 16 אפריל 2012 18:40
-
יום חמישי 15 מרץ 2012 15:55
Thank you Patrick,but I have one more question:)
What about running on premise, Is it allow refelection or dynamic code? Is it really worth to use sandbox features instead of premise?
Thanks alot,
Ahmed Annas
Ahmed Anas
-
יום חמישי 15 מרץ 2012 17:16מנחה דיון
The sandbox should work the same for CRM On-Premise as Online - i.e. if you deploy the plugin in the sandbox On-Premise, it will not be able to use reflection, dynamic code, direct SQL access etc. The only significant difference is that you can choose whether to deploy a plugin in the sandbox or not with On-Premise, whereas with Online you can only deploy a plugin in the sandbox.
If code security is a significant concern, then I'd suggest you specify that all plugins should be registered in the sandbox
Microsoft CRM MVP - http://mscrmuk.blogspot.com http://www.excitation.co.uk
- נערך על-ידי DavidJennawayMVP, Moderator יום חמישי 15 מרץ 2012 17:16
- סומן כתשובה על-ידי DavidJennawayMVP, Moderator יום שני 16 אפריל 2012 18:41
-
יום ראשון 18 מרץ 2012 12:08
Hello David,
Your addition was really valuable, Thank you.
Is there any limitation prevents me from deploy a plugin in the sandbox, for sure except if i willn't be able to use reflection, dynamic code, direct SQL access etc.
Also, Is there any work arround to make sandbox to support the workflow activity executions.
Thank you again!
Ahmed Anas
-
יום ראשון 18 מרץ 2012 12:45
At the moment workflow activities cannot be registered in the Sandbox, so no.
But with the CRM Q2 2012 service update the ability to add custom activities to CRM online will be added. I have not found confirmation of how this will work but I would expect they will only run in the Sandbox, which would mean that you should also have this ability offline.
It is very hard to get details out on this but this is the official release guide http://crmpublish.blob.core.windows.net/docs/ReleasePreviewGuide.pdf
Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com
