Security:Authenticated Users can edit any page

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
3/21/2010 8:36:07 AM
Gravatar
Total Posts 171
I am a Russian programmer

Security:Authenticated Users can edit any page

Hi, Joe

Mojoportal has a problem with security

1. Login as Administrator

2. Create Simple user with role Authenticated Users

3. Logout

4. Login as Administrator

5. Close browser

6. Login Simple

7. And we have right in the system as an administrator

Best regards, Alexander

3/21/2010 9:08:24 AM
Gravatar
Total Posts 18439

Re: Security:Authenticated Users can edit any page

Hi Alexander,

Thanks for letting me know about this, I was really surprised that I was able to produce this problem. 

The solution is quite simple, you can fix this immediately in your copy by editing the Web/Components/mojoRoleProvider.cs, comment out line 291

//roleCookie.Expires = DateTime.Now.AddMinutes(20);

the problem is that setting the Expires made this not a session cookie but a persistent cookie with a 20 minute timeout.

So, the only way this could be exploited is if the admin user closed the browser without signing out and another user signs in from the same machine within 20 minutes, then the user would have escalated permissions.

I have fixed this in my copy, it will be fixed in the coming release.

Thanks,

Joe

3/21/2010 9:58:32 AM
Gravatar
Total Posts 171
I am a Russian programmer

Re: Security:Authenticated Users can edit any page

Hi, Joe

I tried the method and everything is working properly

Thank you, Alexander

You must sign in to post in the forums. This thread is closed to new posts.