Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core/authenticate.php is reachable without admin password #758

Closed
unt01d opened this issue Jan 9, 2018 · 6 comments
Closed

core/authenticate.php is reachable without admin password #758

unt01d opened this issue Jan 9, 2018 · 6 comments
Labels
Milestone

Comments

@unt01d
Copy link
Contributor

@unt01d unt01d commented Jan 9, 2018

Hi,

I notice that I can still reach the core/authenticate.php page without logging in as an admin when using 'admin.protectindexpage' => true. Is there a reason for this? I'm keen to ensure that the admin resources aren't available in production. Happy to submit a PR with a fix.

The sanitycheck/index.php page has the same issue, but I can work-around that by disabling the module. Probably not an option with core :)

Thanks,
Chris

@tvdijen
Copy link
Member

@tvdijen tvdijen commented Jan 9, 2018

Sanitycheck should probably adhere to the admin.protectindexpage setting because it could leak file paths, but the core/authenticate.php doesn't leak any information and is incredibly useful for debugging purpuses.

@unt01d
Copy link
Contributor Author

@unt01d unt01d commented Jan 9, 2018

Hi @tvdijen,

Thanks for the reply. I get that the page doesn't leak particularly sensitive information, but would it hurt to at least have the option of hiding it in a way that's consistent with the other admin features? My feeling is that any resource that's solely used for debugging and isn't directly involved in serving SAML requests shouldn't be openly available in production.

Thanks,
Chris

@thijskh
Copy link
Member

@thijskh thijskh commented Jan 9, 2018

Perhaps this is something to incorporate in the new layout (branch Xnew-ui) which has a more clear separation between user- and admin ui's?

@tvdijen
Copy link
Member

@tvdijen tvdijen commented Jan 9, 2018

Yes, but how are we going to accomodate this? Because different people have different needs when it comes to securing pages like this.

@falco76
Copy link

@falco76 falco76 commented May 2, 2018

i submit a pr #837 to solve it

imho, authenticate.php is very useful (only for authenticated users) but now permit discover (and check) private authsources

@tvdijen
Copy link
Member

@tvdijen tvdijen commented Mar 14, 2019

1.17 came with an experimental admin module.. It's not completely usable, but will be in 1.18 the replacement for the current interface..
For our next major, the solution would be to disable the admin module.. It may take a while, but for now I'm closing this issue since there is no actual issue and things will resolve eventually

@tvdijen tvdijen closed this Mar 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants