Page 1 of 1

Security Issues

Posted: Fri Jul 01, 2016 10:49 am
by MatteoDP
Hi All,

First of all, I write in this section, but I dont't know if it's the correct one. In case move the topic to the right section, thank you.

I'm writing this topic because, using the 7.3.0 CE version, we noted that user session check is not so strong, if not completely absent.

For example, if an user intercept one of his request and get his sid, he can call other servlet, also if he couldn't access them through the GUI.
In this case, a "simple" user can access, with the following url, to the list, and data, of all users

Code: Select all

http://localhost:8080/logicaldoc/data/users.xml?sid=6867814b-7fcb-4b59-8b1b-389ee59a90b7&required=true
Same happen with

Code: Select all

http://localhost:8080/logicaldoc/data/documents.xml?sid=7dbf67e1-49a4-4981-9d51-fd37825eb1bb&locale=it&folderId=18415619&filename=&max=100&indexed=&page=1
If an user catch this request and change the folderId finding a correct one, can list all documents in a folder forbidden to him.

Moveover same hacking behaviour is possible with all other servlet and method, including, for example, deleting/editing/locking a document of another user in another folder.

So the question is: you know this and, since it's a CE, you don't insert strong security checks or this is a real problem?


Thank you
Matteo

Re: Security Issues

Posted: Mon Jul 04, 2016 8:13 am
by car031
Such an issue was already known in old CEs like that. In the 7.5 it is no more there.

Re: Security Issues

Posted: Mon Jul 04, 2016 11:26 am
by MatteoDP
car031 wrote:Such an issue was already known in old CEs like that. In the 7.5 it is no more there.
Oh, I'm sorry.

I'll update our CE version.

Thank you
Matteo

Re: Security Issues

Posted: Tue Jul 05, 2016 3:04 pm
by MatteoDP
car031 wrote:Such an issue was already known in old CEs like that. In the 7.5 it is no more there.
Hi, I've download the 7.5 bundle tomcat and I've installed it.

Using Chrome, I've completed the setup, created 2 folder and upload 5 documents in the second folder.
With dev tools, I've log all the request and get the following one:

Code: Select all

http://localhost:8080/logicaldoc/data/documents.xml?locale=it&folderId=163840001&filename=&max=100&indexed=&page=1
After doing this, I've created a new user, assigned to guest group; then I removed the permission to guest group to access the second folder.

Using Firefox, I'm logged in with the guest user and correctly I see only one of the two folder existing, the first one.
After this, I've opened a new tab in Firefox, pasted the above request and I'm able to see the xml data of all the 5 documents of the folder that I cannot access through the GUI.

So, I'm sorry but there is still the issue in 7.5.0.

Thank You
Matteo

Re: Security Issues

Posted: Tue Jul 05, 2016 4:07 pm
by car031
Do as follows:

1. stop LogicalDOC
2. unzip the patch in tomcat/webapps/ROOT/WEB-INF/classes
3. start LogicalDOC

Re: Security Issues

Posted: Wed Jul 06, 2016 11:02 am
by MatteoDP
car031 wrote:Do as follows:

1. stop LogicalDOC
2. unzip the patch in tomcat/webapps/ROOT/WEB-INF/classes
3. start LogicalDOC
Hi,

I've installed the patch and now I can't replicate the bug.

But same happen for other "dataservlet", like UsersDataServlet.

Could you please share the fix you've done in document servlet?

Thank you
Matteo

ps: I've done a fix by myself, but in the old 7.3 version. If you want I can share it.