Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Possible security leak

simon
Champ in-the-making
Champ in-the-making

‎05-10-2006 07:04 AM

Hi Alfresco,

I accidentally run into this issue where a normal user can access the Administration Console, seems like a serious problem. You only need the URL to the Administration Console (or any other A.C. related link): http://youralfresco:8080/alfresco/faces/jsp/admin/admin-console.jsp

This will bring you to the login page where you login with a random user and… voila! I logged in as a user with almost no permissions and have now access to the Administration Console.  I get a "no permission" error when I try to change something so it's read-only access but still…

I tested this on the Alfresco 1.2.0 Enterprise release (with and without LDAP authentication enabled).
Labels:
0 Kudos
4 REPLIES 4

kevinr
Star Contributor
Star Contributor

‎05-10-2006 12:12 PM

There is nothing stopping any user navigating to the admin-console.jsp you are correct. But also as you say, the various functions are all protected by the usual Alfresco permissions framework, so that user will still need "admin" level access to be able to do anything useful.

Thanks,

Kevin
0 Kudos

simon
Champ in-the-making
Champ in-the-making

‎05-11-2006 08:45 AM

"anything useful"

Seems like getting the data out is useful enough. Some clients would love to browse the node structure or see which other clients (=accounts) are using the system. Company A will be able to see that there is a company B group and that this group has 5 members, even their names and e-mails are visible.
0 Kudos

kevinr
Star Contributor
Star Contributor

‎05-11-2006 08:48 AM

But they wouldn't be able to do that - the NodeBrowser screens you mention go through the usual Alfresco secured services i.e. if a folder is invisible to a user in the web-client, it will also be invisible in the NodeBrowser. It's all the same data and the same service interfaces. Same with Export functionality - they will only be able to see and export the same data as they would in the normal web-client UI.

Cheers,

Kevin
0 Kudos

simon
Champ in-the-making
Champ in-the-making

‎05-12-2006 08:48 AM

Kevin, you are right but I didn't explain it well enough.

The problem is not that a normal user can change the data (Alfresco prevents the submits) but he can SEE some confidential information. A normal user can search for any username or just look at all the users in the system. This alone is a serious security issue for us (both internal and external users use the system): clients shouldn't be able to see our other contacts.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC