Christchurch company claims Jade hiccup lies in design

Christchurch-based Technology Design, which is embroiled in legal action with Aoraki, claims that a recent Jade Web security 'hiccup' is a fundamental design issue with Jade's Web architecture that has been with Jade since the release of version 4.0 in December 1997.

Christchurch-based Technology Design, which is embroiled in legal action with Aoraki, claims that a recent Jade Web security "hiccup" is a fundamental design issue with Jade's Web architecture that has been with Jade since the release of version 4.0 in December 1997.

"The security hole meant it was possible to access the Web server controlling -- not monitoring -- program as well as to deploy and/or inspect the internals of Jade from the comfort of one's own Web browser," says Technology Design managing director Carl Dawson.

"If Aoraki has simply prevented the Web server controlling program from being presented to a Web browser and is making claims that the problem has been fixed, then all I can say is that's a bloody ballsy call.

"As for viewing limited amounts of data, every HTML request is displayed or can be displayed on the Web controlling program, and was possible to be viewed as a Web browser, including data sent over a secure sockets connection. Logs could be turned off at will, and a Jade-power Web site could be shut down gracefully simply by selecting file: exit on a browser displaying the Web server controlling program, and in so doing discarding any residual 'whodunnit' information. A few of these are non-trivial issues.

"I do not see how this issue could not have an impact on client sites. After installing the new patch, as a minimum a site would have required all users to change their log-on credentials for any Web-based systems powered by Jade."

Aoraki chief executive Gil Simpson says he's satisfied the original matter raised by Dawson in the media has been resolved.

"We will continue to investigate any further matters raised by him, either via the media or directly to us. The feedback from registered Jade user sites has been 100% positive and not one has reported any negative impact," says Simpson.

"I would like to reiterate that although the glitch meant it was theoretically possible to access a Jade Web server monitoring applications and view limited amount of data and logging activities, it was not possible to access a Jade application. Aoraki does not wish to make any comment on its relationship with Technology Design as this is subject to a court action."

Technology Design has taken the action over a contract involving a call centre for Contact Energy which was abandoned when Contact merged its call centres after it bought United Electricity.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]