Security Issues

[MatteoDP]

Hi All,

First of all, I write in this section, but I dont't know if it's the correct one. In case move the topic to the right section, thank you.

I'm writing this topic because, using the 7.3.0 CE version, we noted that user session check is not so strong, if not completely absent.

For example, if an user intercept one of his request and get his sid, he can call other servlet, also if he couldn't access them through the GUI.
In this case, a "simple" user can access, with the following url, to the list, and data, of all users

Code: Select all

http://localhost:8080/logicaldoc/data/users.xml?sid=6867814b-7fcb-4b59-8b1b-389ee59a90b7&required=true

Same happen with

Code: Select all

http://localhost:8080/logicaldoc/data/documents.xml?sid=7dbf67e1-49a4-4981-9d51-fd37825eb1bb&locale=it&folderId=18415619&filename=&max=100&indexed=&page=1

If an user catch this request and change the folderId finding a correct one, can list all documents in a folder forbidden to him.

Moveover same hacking behaviour is possible with all other servlet and method, including, for example, deleting/editing/locking a document of another user in another folder.

So the question is: you know this and, since it's a CE, you don't insert strong security checks or this is a real problem?


Thank you
Matteo

[car031]

Such an issue was already known in old CEs like that. In the 7.5 it is no more there.

[MatteoDP]

Such an issue was already known in old CEs like that. In the 7.5 it is no more there.

Oh, I'm sorry.

I'll update our CE version.

Thank you
Matteo

[MatteoDP]

Such an issue was already known in old CEs like that. In the 7.5 it is no more there.

Hi, I've download the 7.5 bundle tomcat and I've installed it.

Using Chrome, I've completed the setup, created 2 folder and upload 5 documents in the second folder.
With dev tools, I've log all the request and get the following one:

Code: Select all

http://localhost:8080/logicaldoc/data/documents.xml?locale=it&folderId=163840001&filename=&max=100&indexed=&page=1

After doing this, I've created a new user, assigned to guest group; then I removed the permission to guest group to access the second folder.

Using Firefox, I'm logged in with the guest user and correctly I see only one of the two folder existing, the first one.
After this, I've opened a new tab in Firefox, pasted the above request and I'm able to see the xml data of all the 5 documents of the folder that I cannot access through the GUI.

So, I'm sorry but there is still the issue in 7.5.0.

Thank You
Matteo

[car031]

Do as follows:

1. stop LogicalDOC
2. unzip the patch in tomcat/webapps/ROOT/WEB-INF/classes
3. start LogicalDOC

[MatteoDP]

Do as follows:

1. stop LogicalDOC
2. unzip the patch in tomcat/webapps/ROOT/WEB-INF/classes
3. start LogicalDOC

Hi,

I've installed the patch and now I can't replicate the bug.

But same happen for other "dataservlet", like UsersDataServlet.

Could you please share the fix you've done in document servlet?

Thank you
Matteo

ps: I've done a fix by myself, but in the old 7.3 version. If you want I can share it.