Anonymous users can edit other anonymous users forms

Next topic

Author	Message
Atle Pedersen	Monday 26 February 2007 8:27:56 am For example, go to a random documentation page on ez.no. Start adding a comment as anonymous user. Use another browser/computer and go to the same content/edit url, and you will be able to edit the form there. This is a security problem when developing a site for a customer who needs external anonymous users to create new objects. As it is, other people can get the information from any partly stored object. I've searched for more on this issue, and found an old bug repport, that says this is a fixed bug (ref: http://issues.ez.no/6680). However, to me the bug appears to still exist. Could there be some ini setting I've missed? I've made sure that the content/edit policy has limitation owner(self). So is this a bug, or is there some settings I've missed?
Claudia Kosny	Monday 26 February 2007 9:02:05 am Hi Atle I can't check test this right now but wasn't there an limition to 'self or anonymous users per http session' for content editing? Maybe this means that anonymous users are indentified by their session so they could not edit the content of other users. If you try it out, please report back. Claudia
Atle Pedersen	Monday 26 February 2007 10:24:32 am Thanks for the suggestion, it sounds logical. Unfortunately I couldn't get it to work though. I also tried changing the [Session] SessionNameHandler=default between default and custom. I'll have to look more into it again tomorrow.

Author

Message

Monday 26 February 2007 8:27:56 am

For example, go to a random documentation page on ez.no. Start adding a comment as anonymous user. Use another browser/computer and go to the same content/edit url, and you will be able to edit the form there.

This is a security problem when developing a site for a customer who needs external anonymous users to create new objects. As it is, other people can get the information from any partly stored object.

I've searched for more on this issue, and found an old bug repport, that says this is a fixed bug (ref: http://issues.ez.no/6680). However, to me the bug appears to still exist. Could there be some ini setting I've missed?

I've made sure that the content/edit policy has limitation owner(self).

So is this a bug, or is there some settings I've missed?

Claudia Kosny

Monday 26 February 2007 9:02:05 am

Hi Atle

I can't check test this right now but wasn't there an limition to 'self or anonymous users per http session' for content editing? Maybe this means that anonymous users are indentified by their session so they could not edit the content of other users. If you try it out, please report back.

Claudia

Atle Pedersen

Monday 26 February 2007 10:24:32 am

Thanks for the suggestion, it sounds logical. Unfortunately I couldn't get it to work though.

I also tried changing the
[Session]
SessionNameHandler=default
between default and custom.

I'll have to look more into it again tomorrow.