New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core/authenticate.php is reachable without admin password #758

Open
unt01d opened this Issue Jan 9, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@unt01d
Contributor

unt01d commented Jan 9, 2018

Hi,

I notice that I can still reach the core/authenticate.php page without logging in as an admin when using 'admin.protectindexpage' => true. Is there a reason for this? I'm keen to ensure that the admin resources aren't available in production. Happy to submit a PR with a fix.

The sanitycheck/index.php page has the same issue, but I can work-around that by disabling the module. Probably not an option with core :)

Thanks,
Chris

@tvdijen

This comment has been minimized.

Member

tvdijen commented Jan 9, 2018

Sanitycheck should probably adhere to the admin.protectindexpage setting because it could leak file paths, but the core/authenticate.php doesn't leak any information and is incredibly useful for debugging purpuses.

@unt01d

This comment has been minimized.

Contributor

unt01d commented Jan 9, 2018

Hi @tvdijen,

Thanks for the reply. I get that the page doesn't leak particularly sensitive information, but would it hurt to at least have the option of hiding it in a way that's consistent with the other admin features? My feeling is that any resource that's solely used for debugging and isn't directly involved in serving SAML requests shouldn't be openly available in production.

Thanks,
Chris

@thijskh

This comment has been minimized.

Member

thijskh commented Jan 9, 2018

Perhaps this is something to incorporate in the new layout (branch Xnew-ui) which has a more clear separation between user- and admin ui's?

@tvdijen

This comment has been minimized.

Member

tvdijen commented Jan 9, 2018

Yes, but how are we going to accomodate this? Because different people have different needs when it comes to securing pages like this.

@falco76

This comment has been minimized.

falco76 commented May 2, 2018

i submit a pr #837 to solve it

imho, authenticate.php is very useful (only for authenticated users) but now permit discover (and check) private authsources

@tvdijen tvdijen added this to the 2.0 milestone Nov 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment