mariovaldez.net

I just discovered a potential security issue in the statspages. Stats are displayed also for objects that a user doesn't have access to.

This is a big issue when serving multiple customers with one instance of CMS.

How can I disable the stats page or restrict access to the root user only?

Go into the CMS admin & set "Max number of documents to report in stats" to 0.

jbjoerk:

> I just discovered a potential security issue
> in the statspages. Stats are displayed also
> for objects that a user doesn't have access to.
> This is a big issue when serving multiple
> customers with one instance of CMS.

I've filled a bug tracking entry at:
http://www.mariovaldez.net/webapps/bugtracker/bug.php?op=show&bugid=175


Tell me jbjoerk, what would be a good solution for you?
a) Display stats only to admin.
b) Display full stats with titles/URLs obscured for items the users has no access.
c) Display stats only for objects the user has access to (but calculating stats for all objects).
d) Display and calculate stats only for objects the user has access to.

If you read the bugtrack report you'll see why the stats page was designed as is. However, I want to know how can I make it better. Let me know.


There is a quick workaround, as Mark Coudriet already wrote:
mark> Go into the CMS admin & set "Max number
mark> of documents to report in stats" to 0.

If you want to disable the icon for the stat page do the following:

Edit the cm/cm_lib.inc.php file and find the fcm_title_nav2 function (it should be around line 376).

Find two lines that look like this one (around line 392 and 421):


and comment them out (just add a double slash "//" at the beginning).


If you want to make it available only to the superuser then move that line to the corresponding code block:

Find and add the line here:



If you do the last change (to show it only to the superuser) then you'll need to edit the statshits.php file to make it really secure:

After the line 35, where there is:


add this:


and before this around line 155:


add this:



Regards,

Mario A. Valdez-Ramirez

Hi Mario,

Thank you for a very descriptive answer.
The optimal solution would be D but I can understand that this would create a lot more overhead when generating the page.

The next best solution would be to only allow the superuser to see the stats - set on the config page, perhaps with a warning about the consequences of allowing access to everyone.

Showing incomplete stats would likely lead to confusion among the users.

jbjoerk:

> Thank you for a very descriptive answer.
> The optimal solution would be D but I can
> understand that this would create a lot
> more overhead when generating the page.
> The next best solution would be to only
> allow the superuser to see the stats - set
> on the config page, perhaps with a warning
> about the consequences of allowing access
> to everyone.

I'll do that in the next version.


> Showing incomplete stats would likely lead
> to confusion among the users.

I agree.


Thanks for your comments.

Regards,

Mario A. Valdez-Ramirez.