eZ Platform Discussions

Security issue? Is it normal anonymous user can view admin user?


#1

I’m with ezPlatform 2.3 and I can access admin user data with anonymous user.

Is this normal? It’s occuring with all user in DB.

I was trying to enable self edit for my guest users…

Vincent


#2

Definitely should not be normal. Did you check the anonymous policy? If it includes content/read from Users section you should disable this.


#3

Hi @skrosoft! First off, if you suspect a security issue in any software, please do not post about it in public forums. This is for the sake of other users of that software who may be hit by attackers who have been enabled by your information. Please contact the vendor of the software privately first, and give them reasonable time to fix the issue. For eZ Platform / eZ Publish, please follow these guidelines: https://doc.ez.no/Security

In this particular case, it looks like an issue with your role setup. To answer your question: No, it’s not normal.

“I was trying to enable self edit for my guest users…” If you tell us what you changed, we may be able to explain it and give advice.


#4

My anonymous policies:


Content Read / Section: Standard

Content Read / Content Type: Image / Section: Media

User Register / None

User Login / SiteAccess: site


It seems it is caused by the User/Login policy I gave to the anonymous role.

I removed this policy and the website ask me again for login to access this page.

My user has no longer access to the login functionality:

I give back policy and logout /logout


I can access again without been logged-in.


#5

Hm, this sounds like a big security issue then :confused:

cc @andrerom @lserwatka @bdunogier


#6

Ok, I will delete this post and submit a bug on Jira. (Jira is used by the community version too?)


#7

No need to delete the post, just post the jira link here


#8

What’s public, is public. But there’s no need to keep it open and spread it further. I will see the security issue in jira when you create it, so the thread can be deleted right away. Thanks.


#9

Okey, you are right.


#10

ALL: This turned out to be a real issue. The fix is released today, as EZSA-2018-007:
http://share.ez.no/community-project/security-advisories/ezsa-2018-007-user-data-disclosure

It affects only v2.3.x


#11

Thank you @glye, Anonymous users are now redirected to the login form and users without the correct policies have now an AccessDeniedHttpException.

The message is: User does not have access to ‘edit’ ‘content’ with: userId ‘14’’.

however, I have policy User/Selfedit enabled on my guest users, shouldn’t be able to access the following url?

/user/update/52/1/eng-GB (Where 52 is my logged-in user content id)

How could I enable selfedit? Maybe Selfedit use another controller.

Thank you!


#12

@skrosoft Yep, selfedit is different. I’ll answer in the selfedit thread - I was only postponing it until this issue could be closed :wink: