Brian Blogs on SharePoint

Information, curiosities, and observations about SharePoint and the community.

Archive for March, 2009

SharePoint Designer and Custom Actions – Security Issue

Posted by Brian Gough on March 31, 2009

This past Saturday, March 28th, I was giving a presentation at the Enterprise Developers Guild’s Spring Code Camp. One of the attendees brought a very interesting security issue to my attention. Apparently if you place a custom action ( an action created in Visual Studio ) immediately after an action that uses the timer job, like a ‘Pause..’, or ‘Wait until field changes..’, the custom action will execute as the Farm Administrator. Yikes! He has proven this out by adding code to the action that will delete a subsite under a different web application. So obviously the permissions are intact.

We know this occurs in build 12.0.0.6341 , but we have not verified any other build at this time. If you happen to try this on another build version and can repeat it, I would love to hear about it.

I have reported this to the SharePoint Designer Product Team. I will update this post when I have some feedback from them. Until then, check your build versions, then make sure you double-check those workflows and custom actions!

Posted in SharePoint | Leave a Comment »