Forums / Suggestions / Anonymous user shouldn't read Users Folder

Anonymous user shouldn't read Users Folder

« 
Previous topic
|
Suggestions
|
Next topic
 »
Author Message

Lazaro Ferreira

Thursday 01 June 2006 2:42:35 am

Hi,

I would like to know why ezpublish (...ENTERPRISE...) is delivered with an anonymous user that can read sensitive information like USER Folder ?

Shouldn't be better for an Enterprise System like EZPublish having this permission revoked

Regards

Lazaro
http://www.mzbusiness.com

Kristian Hole

Sunday 04 June 2006 5:19:47 pm

eZ publish does not give you access to the users folder if you are anonymous. Which version of eZ publish are you running?

Kristian

http://ez.no/ez_publish/documenta...tricks/show_which_templates_are_used
http://ez.no/doc/ez_publish/techn...te_operators/miscellaneous/attribute

K259

Sunday 11 June 2006 1:59:58 pm

Lazaro, do you have some example urls of this?

K259

Monday 12 June 2006 5:33:25 am

Is this btw. a (known) security problem?

Lazaro Ferreira

Monday 12 June 2006 8:24:49 am

Hi Kristian,

We detect this problem in more than one setup of EZP 3.4+, however my colleague said to me that the problem doesn't appear in EZP 3.6+

Probably could be a good ideia to alert partners and users with version EZP 3.4+ about this issue

Regards

Lazaro
http://www.mzbusiness.com

Lazaro Ferreira

Monday 12 June 2006 8:49:49 am

Hi,

I've forgot to give you the URL

http://yourdomain/users

or

http://yourdomain/yoursiteaccess/users

Lazaro
http://www.mzbusiness.com

Jeroen Sangers

Monday 12 June 2006 11:00:16 am

I can't access those URL's with mu eZ Publish installation. Did you make any changes in the permissions?

Vidar Langseid

Tuesday 13 June 2006 2:00:56 am

It is *not* possible for the anonymous user to read sensitive information like the user folder in any version of eZ publish.

It is claimed in this forum thread that eZ publish versions between 3.4 and 3.6 is affected by this flaw. This is not true. We have tested and can confirm that the following versions do indeed behave as expected:
3.4.0
3.4.7
3.5.0
3.5.10

Lazaro, since you have this misbehavior on your sites it must be because you have modifided the anonymous' privileges. eZ publish is not shipped with such privileges on the anonymous user by default.

Lazaro Ferreira

Tuesday 13 June 2006 3:55:30 am

Hi Vidar,

Actually the problem was detected in EZP 3.4.2, and EZP 3.5.1

I can assure you that we haven't modify any privileges (at least explicitly ) for the anonymous user here, so I think the problem could be related to our usual setup

Our setup are tipically done using the ez setup wizard, using URL access, two languages (pt and uk) and corporate package plus some features like (forums, etc) at setup time, every site affected had been added a second design siteaccess folder manually, after finishing the setup

Lazaro
http://www.mzbusiness.com

Vidar Langseid

Tuesday 13 June 2006 7:42:44 am

Hi

Well, I just tried myself on 3.5.1

using URL access,
two languages (portugeese and uk)
corporate package
plus features like (forums, mediafiles and shop) at setup time

I am still unable to reproduce this.

After installation, the anonymous has the following roles (which is correct):
content read Section( Standard )
content pdf Section( Standard )
shop buy No limitations
rss read No limitations
user login SiteAccess( corporate )

What kind of policies do you have in your installation for the anonymous user?

Best regards,
VidarL

eZ debug

Timing: Jan 15 2025 06:51:42
Script start
Timing: Jan 15 2025 06:51:42
Module start 'content'
Timing: Jan 15 2025 06:51:43
Module end 'content'
Timing: Jan 15 2025 06:51:43
Script end

Main resources:

Total runtime0.8540 sec
Peak memory usage6,144.0000 KB
Database Queries214

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0059 684.4063214.7734
Module start 'content' 0.00590.7093 899.17971,991.6953
Module end 'content' 0.71520.1387 2,890.8750640.6641
Script end 0.8539  3,531.5391 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00750.8825210.0004
Check MTime0.00160.1869210.0001
Mysql Total
Database connection0.00080.093210.0008
Mysqli_queries0.743687.07362140.0035
Looping result0.00210.24392110.0000
Template Total0.824496.520.4122
Template load0.00420.494620.0021
Template processing0.820196.035220.4101
Template load and register function0.00130.153610.0013
states
state_id_array0.00080.093110.0008
state_identifier_array0.00110.132020.0006
Override
Cache load0.00390.4512580.0001
Sytem overhead
Fetch class attribute can translate value0.00110.133460.0002
Fetch class attribute name0.00220.2544120.0002
XML
Image XML parsing0.00280.332960.0005
class_abstraction
Instantiating content class attribute0.00000.0029120.0000
General
dbfile0.00290.3386270.0001
String conversion0.00000.000830.0000
Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

CacheTypePacklevelSourceFiles
CSS0extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css
JS0extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
10content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
14content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
2content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
4content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
1pagelayout.tpl<No override>extension/sevenx/design/simple/templates/pagelayout.tplEdit templateOverride template
 Number of times templates used: 32
 Number of unique templates used: 6

Time used to render debug report: 0.0002 secs