Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-3184

Web users can bypass ACLs by editing params of element/node.jsp URLs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7.2
    • Fix Version/s: 1.8.6, 1.9.3
    • Component/s: Web UI - ACLs
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Environment:
      Operating System: All
      Platform: PC
    • Bugzilla Id:
      3137

      Description

      Steps to reproduce:

      1a. Create group "canhas" with all node categories included; add user "jeffg"
      to this group
      1b. Create group "nocanhas" with only "Production" node category; add user
      "rjeffg" to this group
      2. Add nodes 1 and 3 to node categories "Servers", "Production"; add node 2 to
      categories "Servers", "Development"
      3a. Log out and log in as "rjeffg", view node list, note that only nodes 1 and 3 are in list
      3b. Click node 1 in node list
      4. Edit URL, changing "element/node.jsp?node=1" to "element/node.jsp?node=2"

      Expected behavior: some kind of denial

      Actual behavior: a slightly restricted entry point into viewing info for node #2, including all parts of the node detail page and the resource graphs workflow.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jeffg Jeff Gehlbach
            • Votes:
              2 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: