Prevent authorized access to hashed user password, cachepwd, salt, and sessionid [SEC-3837] #15678
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does it do?
This addresses a variety of different ways a manager user with permission to manage users might be able to access hashed passwords, the cachepwd, or a users' last sessionid. Follows from report by Solar Security who reported it was included in the security/group/user/getList response, after which I did some more searching and found a few more places that could return some of these.
Why is it needed?
This is not super interesting from a security perspective, as passwords are hashed and any user that has permission to manage users could change their password and just take over an account that way. But as these fields are not supposed to be readable, good to lock 'm down anyway.
How to test
Perform the actions and confirm there is no sensitive data in the raw response.
Related issue(s)/PR(s)
https://community.modx.com/t/new-security-issues-reported-all-in-one-report/3837