security vulnerability: users who know the URL can access restricted areas
Submitted by mp459 on Mon, 05/12/2008 - 22:49.
Howdy gents/ladies
I ran into this problem, trying to post some sensitive information to one of my clients. It seems that if a user who does not otherwise have access to project X can still see files, tasks, and messages, and download files, from project X iff the user knows the direct URI to these areas.
To reproduce:
-create a project, adda file/message/etc.
-Add a user who does not have access to the project
-log in as this user and go directly to project/messages or project/files, etc, using the URI
Any thoughts?
This has already been discussed before, and there were mixed feelings. If you mark the files/messages/etc as "private", then the url won't work. Otherwise some people are considering it a feature for convenience. i.e. if someone wants to share a file directly with a colleague, they don't have to get an admin to add them to the project just for that, or expose all the other project info.
I think that's the same thing as what I noticed some months ago: if you modify the URLs you can get access to projects or messages you shouldn't be able to.
The "private" work-around wouldn't work in most situations since the "private" option is to limit access only to the owner company.
In my opinion, we should look at that and lock it down so that nobody gets access to anything they're not supposed to, and then possibly think about a way to share the files (or also messages while we're at it)
-
Tim
I was not able to replicate this on my local machine.
mp459, I sent you an email requesting access to your files, but you till hasn't replied.