Uploaded image for project: 'Admininterface Legacy 4.x (closed)'
  1. Admininterface Legacy 4.x (closed)
  2. MGNLADMLEG-48

PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 5.2.2
    • None

      Default roles have denies such as /.magnolia/pages/configuration*.
      However, with the current implementation of info.magnolia.module.admininterface.PageMVCServlet, any user who has access to /.magnolia (but not this specific page, as is the case for the eric sample user), security can be bypassed by simply requesting /.magnolia/pages/FOO/BAR/configuration.html

        Acceptance criteria

              rkovarik Roman Kovařík
              gjoseph Magnolia International
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: