Security Issues
Posted: Fri Jul 01, 2016 10:49 am
Hi All,
First of all, I write in this section, but I dont't know if it's the correct one. In case move the topic to the right section, thank you.
I'm writing this topic because, using the 7.3.0 CE version, we noted that user session check is not so strong, if not completely absent.
For example, if an user intercept one of his request and get his sid, he can call other servlet, also if he couldn't access them through the GUI.
In this case, a "simple" user can access, with the following url, to the list, and data, of all users
Same happen with
If an user catch this request and change the folderId finding a correct one, can list all documents in a folder forbidden to him.
Moveover same hacking behaviour is possible with all other servlet and method, including, for example, deleting/editing/locking a document of another user in another folder.
So the question is: you know this and, since it's a CE, you don't insert strong security checks or this is a real problem?
Thank you
Matteo
First of all, I write in this section, but I dont't know if it's the correct one. In case move the topic to the right section, thank you.
I'm writing this topic because, using the 7.3.0 CE version, we noted that user session check is not so strong, if not completely absent.
For example, if an user intercept one of his request and get his sid, he can call other servlet, also if he couldn't access them through the GUI.
In this case, a "simple" user can access, with the following url, to the list, and data, of all users
Code: Select all
http://localhost:8080/logicaldoc/data/users.xml?sid=6867814b-7fcb-4b59-8b1b-389ee59a90b7&required=true
Code: Select all
http://localhost:8080/logicaldoc/data/documents.xml?sid=7dbf67e1-49a4-4981-9d51-fd37825eb1bb&locale=it&folderId=18415619&filename=&max=100&indexed=&page=1
Moveover same hacking behaviour is possible with all other servlet and method, including, for example, deleting/editing/locking a document of another user in another folder.
So the question is: you know this and, since it's a CE, you don't insert strong security checks or this is a real problem?
Thank you
Matteo