[MAGNOLIA-7707] Login Console accessible publicly Created: 15/Jan/20  Updated: 21/Jan/20  Resolved: 21/Jan/20

Status: Closed
Project: Magnolia
Component/s: admininterface
Affects Version/s: 6.0
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Vineet Mishra Assignee: Mercedes Iruela
Resolution: Not an issue Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

all the environments


Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

It is observed that Magnolia Author, login page can be accessed externally for the websites, which uses Magnolia CMS in backend to manage the content. Once accessible, the same login page can be brute forced by attackers to get into the system and perform delete, modify, deface etc. It can be done in case the website is using default credentials e.g. superuser, eric, peter (which are available publicly). 

Steps: 1. Access any website which uses Magnolia CMS in backend.

Step: 2. take any url which resolve to any magnolia page, and craft a request with OPTION method.

Step .3. As in the backend OPTION method will be disable, and user will get a 403 error. But along with this error, the response page will contain Magnolia login form.

 

Step 4. Enter valid credentials , or brute force. 

Step 5. If success, will allow to access Magnolia from public facing resource.

 



 Comments   
Comment by Mercedes Iruela [ 15/Jan/20 ]

Hi Vineet,
There is a set of security best practices that we recommend to our customers to avoid the issues that you are reporting. I hope you find them useful: https://documentation.magnolia-cms.com/display/DOCS61/Security+best+practices

Regards,
Mercedes

Generated at Mon Feb 12 04:26:07 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.