Uploaded image for project: 'Admininterface Legacy 4.x (closed)'
  1. Admininterface Legacy 4.x (closed)
  2. MGNLADMLEG-48

PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 5.2.2
    • None

    Description

      Default roles have denies such as /.magnolia/pages/configuration*.
      However, with the current implementation of info.magnolia.module.admininterface.PageMVCServlet, any user who has access to /.magnolia (but not this specific page, as is the case for the eric sample user), security can be bypassed by simply requesting /.magnolia/pages/FOO/BAR/configuration.html

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            is cloned by

            Bug - A problem which impairs or prevents the functions of the product. MAGNOLIA-5621 CLONE - PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve

            • Critical - Crashes, loss of data, severe memory leak.
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. MAGNOLIA-5506 Default roles have weak URI security checks

            • Major - Major loss of function, or significant new/changed feature
            • Open

            Activity

              People

                rkovarik Roman Kovařík
                gjoseph Magnolia International
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: