Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information & destructive operations exposed to unauthenticated users. #146

Closed
NathanGibbs3 opened this issue Feb 8, 2023 · 2 comments
Closed

Information & destructive operations exposed to unauthenticated users. #146

NathanGibbs3 opened this issue Feb 8, 2023 · 2 comments
Assignees
@NathanGibbs3
Labels
invalid This doesn't seem right LCB-TechDebt Issue exists in Legacy Code Base. We inherited it. Prod Observed in Production Environment. Security Issue impacts or is related to App Security. Stability Issue impacts or is related to App Stability. UI User Interface Issues.
Projects
Auth System Implementation.
Milestone
1.4.6

Comments

@NathanGibbs3
Copy link
Owner

NathanGibbs3 commented Feb 8, 2023
edited
Loading

Item Description
File(s): base_maintenance.php & includes/base_log_error.inc.php
Class: N/A
Function: includes/base_log_error.inc.php-PrintPageHeader()
Related Issue(s): #89 #142
Depends on Issue(s):
Dependency Type:
Misc. Info.: TMI & TMF exposed to unauthenticated or non-admin users. Thank you @mesteele

Expected Behavior: Less info and NO functionality should be exposed.
Current Behavior: A lot of info and functionality is exposed.
@NathanGibbs3 NathanGibbs3 added invalid This doesn't seem right Prod Observed in Production Environment. LCB-TechDebt Issue exists in Legacy Code Base. We inherited it. Security Issue impacts or is related to App Security. UI User Interface Issues. Stability Issue impacts or is related to App Stability. labels Feb 8, 2023
@NathanGibbs3 NathanGibbs3 added this to the 1.4.6 milestone Feb 8, 2023
@NathanGibbs3 NathanGibbs3 self-assigned this Feb 8, 2023
@NathanGibbs3 NathanGibbs3 mentioned this issue Feb 8, 2023
Closed
@NathanGibbs3 NathanGibbs3 mentioned this issue Feb 14, 2023
Closed
@mesteele
Copy link

mesteele commented Mar 25, 2023
edited
Loading

Development-Latest: Being logged in using $Use_Auth_System = 1;

If the logged in user credentials are deleted BASE gets an error:

The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are "PHP Notice: Unauthorized user access: michael in D:\winids\inetpub\wwwroot\base\includes\base_auth.inc.php on line 563 Attempt Redirect Status: 302 Found X-Powered-By: PHP/7.4.33 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: http://winids/base_main.php Content-type: text/html; charset=UTF-8 ".

Not real sure what needs to be done maybe any logged in users should not be able to be deleted until they are logged out?

@NathanGibbs3 NathanGibbs3 mentioned this issue Mar 26, 2023
Closed
@NathanGibbs3
Copy link
Owner Author

Opened Issue #156 to track this. Please continue conversation on that Issue's ticket. Thank you for finding this. 😄

@NathanGibbs3 NathanGibbs3 added this to Needs triage in Auth System Implementation. via automation Apr 8, 2023
@NathanGibbs3 NathanGibbs3 moved this from Needs triage to Closed in Auth System Implementation. Apr 8, 2023
@NathanGibbs3 NathanGibbs3 mentioned this issue May 9, 2023
Closed
NathanGibbs3 added a commit that referenced this issue May 24, 2023
@NathanGibbs3
20230523 Closes #205
8cf446d 
         Wrok om #129 #134 #139 #146
         Code Cleanup.

     File(s): base_common.php
            : base_conf.php.dist
            : base_maintenance.php
            : includes/base_capabilities.php
            : includes/base_output_html.inc.php
            : includes/base_state_citems.inc.php
            : includes/base_state_criteria.inc.php
            : setup/base_conf_contents.php
              Code Cleanup.
     File(s): includes/base_action.inc.php
    Issue(s): #134 #205
              Code Cleanup.
     File(s): includes/base_auth.inc.php
              Code Cleanup.
 Function(s): ARC( $roleneeded )
              AuthorizedRole Core, Returns true if the role
              of current user is authorized, false otherwise.
     File(s): includes/base_db.inc.php
 Function(s): filterSql( $item, $force_alert_db, $db )
              Moved from includes/base_state_common.inc.php
     File(s): includes/base_krnl.php
              Code Cleanup.
              Bumped Kernel Version to 0.0.4
              Provides additional:
              Base Include Path: Global: $BKI_Path
                                  Const: BASE_IPath
              Routines Loaded: (available at page load):
              BASE Constants.
              BASE DB system.
     File(s): includes/base_log_error.inc.php
    Issue(s): #134 #146
              Code Cleanup.
 Function(s): ErrorMessage( $message, $color, $br )
            : returnErrorMessage( $message, $color, $br )
              Moved from RTL.
            : DDT( $Items, $Desc, $title, $tab, $wd, $vf, $XSS )
              Add XSS Flag for table items.
            : PrintPageHeader()
              Issue #134 work.
     File(s): includes/base_log_timing.inc.php
    Issue(s): #146
              Code Cleanup.
     File(s): includes/base_output_query.inc.php
            : styles/*.css
    Issue(s): #129 #139
              Code Cleanup.
     File(s): includes/base_rtl.php
              Bumped RTL Version to 0.0.8
              Code Cleanup.
 Function(s): ErrorMessage( $message, $color, $br )
            : returnErrorMessage( $message, $color, $br )
              Removed from RTL.
     File(s): includes/base_state_common.inc.php
              Code Cleanup.
 Function(s): filterSql( $item, $force_alert_db, $db )
              Moved to includes/base_db.inc.php
     File(s): scripts/BASEcli
              Bumped BASEcli Version to 1.2.2
              Added 'debug' and 'dbg' interactive commands
              to toggle connection debugging mode.
              Code Cleanup.
Unit Test(s): Covers ARC() BaseUser::Authenticate*()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NathanGibbs3 NathanGibbs3

Labels
invalid This doesn't seem right LCB-TechDebt Issue exists in Legacy Code Base. We inherited it. Prod Observed in Production Environment. Security Issue impacts or is related to App Security. Stability Issue impacts or is related to App Stability. UI User Interface Issues.
Projects
Auth System Implementation.
Closed
Milestone
1.4.6
Development

No branches or pull requests
2 participants
@NathanGibbs3 @mesteele