Forums / Suggestions / Anonymous user shouldn't read Users Folder

Anonymous user shouldn't read Users Folder

Author Message

Lazaro Ferreira

Thursday 01 June 2006 2:42:35 am

Hi,

I would like to know why ezpublish (...ENTERPRISE...) is delivered with an anonymous user that can read sensitive information like USER Folder ?

Shouldn't be better for an Enterprise System like EZPublish having this permission revoked

Regards

Lazaro
http://www.mzbusiness.com

Kristian Hole

Sunday 04 June 2006 5:19:47 pm

eZ publish does not give you access to the users folder if you are anonymous. Which version of eZ publish are you running?

Kristian

http://ez.no/ez_publish/documenta...tricks/show_which_templates_are_used
http://ez.no/doc/ez_publish/techn...te_operators/miscellaneous/attribute

K259

Sunday 11 June 2006 1:59:58 pm

Lazaro, do you have some example urls of this?

K259

Monday 12 June 2006 5:33:25 am

Is this btw. a (known) security problem?

Lazaro Ferreira

Monday 12 June 2006 8:24:49 am

Hi Kristian,

We detect this problem in more than one setup of EZP 3.4+, however my colleague said to me that the problem doesn't appear in EZP 3.6+

Probably could be a good ideia to alert partners and users with version EZP 3.4+ about this issue

Regards

Lazaro
http://www.mzbusiness.com

Lazaro Ferreira

Monday 12 June 2006 8:49:49 am

Hi,

I've forgot to give you the URL

http://yourdomain/users

or

http://yourdomain/yoursiteaccess/users

Lazaro
http://www.mzbusiness.com

Jeroen Sangers

Monday 12 June 2006 11:00:16 am

I can't access those URL's with mu eZ Publish installation. Did you make any changes in the permissions?

Vidar Langseid

Tuesday 13 June 2006 2:00:56 am

It is *not* possible for the anonymous user to read sensitive information like the user folder in any version of eZ publish.

It is claimed in this forum thread that eZ publish versions between 3.4 and 3.6 is affected by this flaw. This is not true. We have tested and can confirm that the following versions do indeed behave as expected:
3.4.0
3.4.7
3.5.0
3.5.10

Lazaro, since you have this misbehavior on your sites it must be because you have modifided the anonymous' privileges. eZ publish is not shipped with such privileges on the anonymous user by default.

Lazaro Ferreira

Tuesday 13 June 2006 3:55:30 am

Hi Vidar,

Actually the problem was detected in EZP 3.4.2, and EZP 3.5.1

I can assure you that we haven't modify any privileges (at least explicitly ) for the anonymous user here, so I think the problem could be related to our usual setup

Our setup are tipically done using the ez setup wizard, using URL access, two languages (pt and uk) and corporate package plus some features like (forums, etc) at setup time, every site affected had been added a second design siteaccess folder manually, after finishing the setup

Lazaro
http://www.mzbusiness.com

Vidar Langseid

Tuesday 13 June 2006 7:42:44 am

Hi

Well, I just tried myself on 3.5.1

using URL access,
two languages (portugeese and uk)
corporate package
plus features like (forums, mediafiles and shop) at setup time

I am still unable to reproduce this.

After installation, the anonymous has the following roles (which is correct):
content read Section( Standard )
content pdf Section( Standard )
shop buy No limitations
rss read No limitations
user login SiteAccess( corporate )

What kind of policies do you have in your installation for the anonymous user?

Best regards,
VidarL