Security Issues

We tried to make LogicalDOC as intuitive as possible, but an advice is always welcome.

Moderator: car031

Locked
MatteoDP
Posts: 4
Joined: Thu Jun 30, 2016 12:58 pm

Security Issues

Post by MatteoDP » Fri Jul 01, 2016 10:49 am

Hi All,

First of all, I write in this section, but I dont't know if it's the correct one. In case move the topic to the right section, thank you.

I'm writing this topic because, using the 7.3.0 CE version, we noted that user session check is not so strong, if not completely absent.

For example, if an user intercept one of his request and get his sid, he can call other servlet, also if he couldn't access them through the GUI.
In this case, a "simple" user can access, with the following url, to the list, and data, of all users

Code: Select all

http://localhost:8080/logicaldoc/data/users.xml?sid=6867814b-7fcb-4b59-8b1b-389ee59a90b7&required=true
Same happen with

Code: Select all

http://localhost:8080/logicaldoc/data/documents.xml?sid=7dbf67e1-49a4-4981-9d51-fd37825eb1bb&locale=it&folderId=18415619&filename=&max=100&indexed=&page=1
If an user catch this request and change the folderId finding a correct one, can list all documents in a folder forbidden to him.

Moveover same hacking behaviour is possible with all other servlet and method, including, for example, deleting/editing/locking a document of another user in another folder.

So the question is: you know this and, since it's a CE, you don't insert strong security checks or this is a real problem?


Thank you
Matteo

car031
Posts: 154
Joined: Tue Apr 17, 2012 8:27 am

Re: Security Issues

Post by car031 » Mon Jul 04, 2016 8:13 am

Such an issue was already known in old CEs like that. In the 7.5 it is no more there.

MatteoDP
Posts: 4
Joined: Thu Jun 30, 2016 12:58 pm

Re: Security Issues

Post by MatteoDP » Mon Jul 04, 2016 11:26 am

car031 wrote:Such an issue was already known in old CEs like that. In the 7.5 it is no more there.
Oh, I'm sorry.

I'll update our CE version.

Thank you
Matteo

MatteoDP
Posts: 4
Joined: Thu Jun 30, 2016 12:58 pm

Re: Security Issues

Post by MatteoDP » Tue Jul 05, 2016 3:04 pm

car031 wrote:Such an issue was already known in old CEs like that. In the 7.5 it is no more there.
Hi, I've download the 7.5 bundle tomcat and I've installed it.

Using Chrome, I've completed the setup, created 2 folder and upload 5 documents in the second folder.
With dev tools, I've log all the request and get the following one:

Code: Select all

http://localhost:8080/logicaldoc/data/documents.xml?locale=it&folderId=163840001&filename=&max=100&indexed=&page=1
After doing this, I've created a new user, assigned to guest group; then I removed the permission to guest group to access the second folder.

Using Firefox, I'm logged in with the guest user and correctly I see only one of the two folder existing, the first one.
After this, I've opened a new tab in Firefox, pasted the above request and I'm able to see the xml data of all the 5 documents of the folder that I cannot access through the GUI.

So, I'm sorry but there is still the issue in 7.5.0.

Thank You
Matteo

car031
Posts: 154
Joined: Tue Apr 17, 2012 8:27 am

Re: Security Issues

Post by car031 » Tue Jul 05, 2016 4:07 pm

Do as follows:

1. stop LogicalDOC
2. unzip the patch in tomcat/webapps/ROOT/WEB-INF/classes
3. start LogicalDOC
Attachments
patch-20160705b.zip
Patch
(10.65 KiB) Downloaded 84 times

MatteoDP
Posts: 4
Joined: Thu Jun 30, 2016 12:58 pm

Re: Security Issues

Post by MatteoDP » Wed Jul 06, 2016 11:02 am

car031 wrote:Do as follows:

1. stop LogicalDOC
2. unzip the patch in tomcat/webapps/ROOT/WEB-INF/classes
3. start LogicalDOC
Hi,

I've installed the patch and now I can't replicate the bug.

But same happen for other "dataservlet", like UsersDataServlet.

Could you please share the fix you've done in document servlet?

Thank you
Matteo

ps: I've done a fix by myself, but in the old 7.3 version. If you want I can share it.

Locked

Who is online

Users browsing this forum: No registered users and 2 guests