mariovaldez.net

MV.net forums
It is currently 14 Jul 2016, 00:43

All times are UTC - 7 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 
Author Message
PostPosted: 17 Mar 2005, 03:22 

Joined: 13 Sep 2004, 03:42
Posts: 2
Location: Austria
I just discovered a potential security issue in the statspages. Stats are displayed also for objects that a user doesn't have access to.

This is a big issue when serving multiple customers with one instance of CMS.

How can I disable the stats page or restrict access to the root user only?


Report this post
Top
 Profile  
Reply with quote  
 Post subject: Try
PostPosted: 18 Mar 2005, 07:02 
Go into the CMS admin & set "Max number of documents to report in stats" to 0.


Report this post
Top
  
Reply with quote  
PostPosted: 18 Mar 2005, 11:02 
User avatar

Joined: 06 Mar 2003, 03:21
Posts: 447
Location: Monterrey, NL, Mexico
jbjoerk:

> I just discovered a potential security issue
> in the statspages. Stats are displayed also
> for objects that a user doesn't have access to.
> This is a big issue when serving multiple
> customers with one instance of CMS.

I've filled a bug tracking entry at:
http://www.mariovaldez.net/webapps/bugtracker/bug.php?op=show&bugid=175


Tell me jbjoerk, what would be a good solution for you?
a) Display stats only to admin.
b) Display full stats with titles/URLs obscured for items the users has no access.
c) Display stats only for objects the user has access to (but calculating stats for all objects).
d) Display and calculate stats only for objects the user has access to.

If you read the bugtrack report you'll see why the stats page was designed as is. However, I want to know how can I make it better. Let me know.


There is a quick workaround, as Mark Coudriet already wrote:
mark> Go into the CMS admin & set "Max number
mark> of documents to report in stats" to 0.

If you want to disable the icon for the stat page do the following:

Edit the cm/cm_lib.inc.php file and find the fcm_title_nav2 function (it should be around line 376).

Find two lines that look like this one (around line 392 and 421):
Code:
echo "&nbsp;<A class=\"cms\" HREF=\"statshits.php?cm_path=$cm_path\">...


and comment them out (just add a double slash "//" at the beginning).


If you want to make it available only to the superuser then move that line to the corresponding code block:

Find and add the line here:
Code:
if ($cm_issuperuser) {
  echo "&nbsp;<A class=\"cms\" HREF=\"console.php\">...
  /***** ADD THE LINE HERE *****/
    }



If you do the last change (to show it only to the superuser) then you'll need to edit the statshits.php file to make it really secure:

After the line 35, where there is:
Code:
fcm_title_nav2 ($cm_path, false, false, false, false, false, false, false);


add this:
Code:
if (($cm_superuser) && ($cm_superuser == $user_kurz)) {


and before this around line 155:
Code:
echo $cm_html_footer;


add this:
Code:
}
else {
  echo "<h3 class=\"setuperror\">{$cm_text["console-nosuperuser"]}</h3>\n";
  fcm_add_logentry ("", $user_kurz, CM_APPLOG_ERROR, "Error when viewing the stats. Not enough permissions.");
}



Regards,

Mario A. Valdez-Ramirez


Report this post
Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: 18 Mar 2005, 11:27 

Joined: 13 Sep 2004, 03:42
Posts: 2
Location: Austria
Hi Mario,

Thank you for a very descriptive answer.
The optimal solution would be D but I can understand that this would create a lot more overhead when generating the page.

The next best solution would be to only allow the superuser to see the stats - set on the config page, perhaps with a warning about the consequences of allowing access to everyone.

Showing incomplete stats would likely lead to confusion among the users.


Report this post
Top
 Profile  
Reply with quote  
PostPosted: 19 Mar 2005, 04:52 
User avatar

Joined: 06 Mar 2003, 03:21
Posts: 447
Location: Monterrey, NL, Mexico
jbjoerk:

> Thank you for a very descriptive answer.
> The optimal solution would be D but I can
> understand that this would create a lot
> more overhead when generating the page.
> The next best solution would be to only
> allow the superuser to see the stats - set
> on the config page, perhaps with a warning
> about the consequences of allowing access
> to everyone.

I'll do that in the next version. :)


> Showing incomplete stats would likely lead
> to confusion among the users.

I agree.


Thanks for your comments.

Regards,

Mario A. Valdez-Ramirez.


Report this post
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 

All times are UTC - 7 hours


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group