Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-20979

Only Share dashboard of a private site has access security check

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Not a bug
    • Affects Version/s: 4.2 Enterprise
    • Fix Version/s: None
    • Component/s: Share Application
    • Security Level: external (External user)
    • Labels:
      None
    • Security Severity:
      Low
    • Triage:
      To Do

      Description

      1) Create new user "rocco"
      2) Create new private site called "test"
      3) Login as user "rocco"
      4) Try to access the URL /share/page/site/test/dashboard -> server error
      5) Try to access the URL /share/page/site/test/site-members -> access is granted

      If you have a custom page on the private site "test", any user who is aware of the URL can access it.

      1. Picture1.png
        87 kB
      2. Picture2.png
        50 kB

        Activity

        Hide
        kroast Kevin Roast added a comment -

        The operations on any page will have security checks.

        The page such as /share/page/site/test/site-members does not give you "access" to anything - you can make up a siteid and navigate to the url:
        /share/page/site/somethingrandom/site-members and you will see the same empty page and no information - it does not cause a security issue.

        Show
        kroast Kevin Roast added a comment - The operations on any page will have security checks. The page such as /share/page/site/test/site-members does not give you "access" to anything - you can make up a siteid and navigate to the url: /share/page/site/somethingrandom/site-members and you will see the same empty page and no information - it does not cause a security issue.
        Hide
        rdonnarumma Rocco Donnarumma added a comment -

        Until you create a custom page /share/page/site/test/custom and you will have access to it.

        Can have backend security but why share expose that to not members of the site?

        Show
        rdonnarumma Rocco Donnarumma added a comment - Until you create a custom page /share/page/site/test/custom and you will have access to it. Can have backend security but why share expose that to not members of the site?
        Hide
        rdonnarumma Rocco Donnarumma added a comment -

        The "site-members" was just an example because is OOTB.

        Try creating your custom page in the site

        Show
        rdonnarumma Rocco Donnarumma added a comment - The "site-members" was just an example because is OOTB. Try creating your custom page in the site
        Hide
        cosminaru Cosmin Marginean added a comment -

        I'm sorry, but this is not resolved, and neither "not a bug". If you create a custom page, the users will have access to that page. How is that not a fundamental security leak?

        Show
        cosminaru Cosmin Marginean added a comment - I'm sorry, but this is not resolved, and neither "not a bug". If you create a custom page, the users will have access to that page. How is that not a fundamental security leak?

          People

          • Assignee:
            closedissues Closed Issues
            Reporter:
            rdonnarumma Rocco Donnarumma
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: