Author Topic: Civi security (Read 1166 times)

airwaves · September 16, 2009, 01:55:58 am

Hi,

I noticed a security issue in civi.
If I login into Joomla with my user/pass and klick and copy a link in the user menu to edit some civi user info in a profile, than this link is also available when I completely logout of joomla. With the difference that no user info is displayed, but the form is.

So the link is http://www.mydomain.nl/index.php?option=com_civicrm&view=Profiles&layout=edit&Itemid=46 (this link is only available to registerd users in the usermenu of joomla)

But wen I completely logout of joomla this same link is still available and it works. I can create a new user in civi.

Am I missing something here?

Edwin.

Dave Greenberg · September 17, 2009, 09:03:48 am

This issue was addressed in the 2.2.8 release - http://civicrm.org/node/608 .

airwaves · September 23, 2009, 10:12:33 am

That's strange.

I installed 2.2.9 in a testsite and copied a url from the Joomla frontend (civi url voor registerd members).

But when I logout the frondend of joomla, I can still use the url. The only difference is that no member info is filled in. So the form I'm looking at (change member info) is empty. But wen I continue the form. I can save it. and it is added to civi.

I expected a " you are not authorized to use this URL" message.

Edwin.

Dave Greenberg · September 24, 2009, 02:55:47 pm

Edwin - Are you using a Joomla front end menu item to access the profile (i.e. the URL you pasted below - http://www.mydomain.nl/index.php?option=com_civicrm&view=Profiles&layout=edit&Itemid=46)? If so, my understanding is that Joomla is supposed to control access to those URLs based on the permissions in the menu item.

airwaves · September 25, 2009, 12:24:29 am

Yes, I access the url from the frontend. But something strange is going on:

What I did:

After login out of the frontend in J, I executed the URL below.
http://www.domain.org/crm/index.php?option=com_civicrm&view=Profiles&layout=edit&Itemid=50

I see the form to edit member info, but all the fields are empty (as I explained previous)

Than I change the URL to:
http://www.domain.org/crm/index.php?option=com_civicrm&view=Profiles&layout=edit&Itemid=43

This item ID doesn't exist in J. Joomla give's me "You do not have permission to execute this url"

Than I change the URL to:
http://www.domain.org/crm/index.php?option=com_civicrm&view=Profiles&layout=edit&Itemid=47

This URL does exist in the J user menu and I get the civi form, but again empty. In this case it was a search profile and after hitting the search button, civi gave search results.

It seems like civi/J fails to check if a memeber is logged in.

Wait a sec....
I found out that if you change the permission for a menu item from public to registered in J, than it works oké.

I used the "user menu" in J. This menu is in J only visuable when registered user log in, but the actual menu (in the user menu) item has the permission "public".
Thats why I could fire the URL.

The nice thing that comes with this, is that now J asks to login if you hit the URL.
So If you want good behavior of J, you should make the menu item "registered"

Edwin.

CiviCRM Community Forums (archive)

News:

Author Topic: Civi security (Read 1166 times)

airwaves

Civi security

Dave Greenberg

Re: Civi security

airwaves

Re: Civi security

Dave Greenberg

Re: Civi security

airwaves

Re: Civi security