plainblack.com
Username Password
search
Bookmark and Share
View All Tickets
Security issue - collaboration rss  (#3777)
Issue

The RSS feed for any collaboration is broken. You can see any data although you are not entitled to see it. My case is based on a user not loggeed in that can see any rss collaboration data. I haven't checked wether I can see collaborations rss when logged in but not member of "Who can view"-group.

To recreate this case (done at demo.plainblack.com):

1. I created a collaboration at /demo/collaboration_test and commited content. The collaboration i set to  "Who can view" to "Registered users" (and for all other security choices).

2. Added a post to the collaboration

3. Log out

4. Check the /demo/collaboration_test.rss and I can see the content although you should need to login to see the content.

/Erik

Solution Summary
Comments
laurarumage
0
6/13/2008 1:23 pm

I am looking at this now. -LR

laurarumage
0
6/13/2008 1:53 pm

I can't seem to recreate this bug.  Please let me know if I'm missing something.

 

1. Created collaboration system with "Who can view" set to "Admin"

2. Committed changes

3. Added a post

4. Added syndicated content, "URL to File" set for RSS file of collaboration system

5. Committed changes

6. Logged out

7. Clicked to view collaboration system thread and log-in screen appears (cannot view thread without log-in)

 

preaction
0
6/13/2008 3:10 pm

It's the RSS feed of the collaboration that the OP is talking about.

I'll take a look at this.

preaction
0
6/13/2008 3:15 pm

I have reproduced this, but there's an issue: There is no way to authenticate the RSS feed through WebGUI.

The only authentication method that works for the current RSS feed readers is HTTP Basic Auth, so you'd need a plugin that would map an HTTP Basic Auth to a WebGUI user.

Given that, restricting an RSS feed would work, so I'm going to fix this problem.

preaction
0
6/13/2008 3:20 pm

Fixed in 7.5.13. Closing as resolved. 

Left a note in the gotchas for those who may have been relying on this buggy / insecure behavior.

Details
Ticket Status Closed  
Rating0.0 
Submitted Byerik.svanberg 
Date Submitted2008-05-13 
Assigned To unassigned  
Date Assigned2022-08-16 
Assigned By 
Severity Critical (mostly not working)  
What's the bug in? WebGUI Stable  
WebGUI / WRE Version WebGUI 7.4.34  
URLbugs/tracker/security-issue---collaboration-rss
Keywords
Ticket History
© 2022 Plain Black Corporation | All Rights Reserved