Forum OpenACS Development: Security breach switching ips

Request notifications

Collapse
Posted by Iuri Sampaio on
Hi there,

There are 2 installations of OpenACS, both remote, using different IPs, even hosted on different servers.
Locally, on my computer, I've assigned ip1 to evex.co, within the file /etc/hosts. I've started using the system, I've logged and browsed a few pages on admin's sections, as such: https://evex.co/admin/site-map/?root_id=692

Then, "locally, on my computer", I switched IP's to evex.co
Ex1. 200.163.19.6 evex.co
Ex2. 192.163.17.8 evex.co

I went back to the browser and continued playing in the system, and surprisingly I was allowed to do everything as if I were logged. In fact, I was logged and all the effects would have be applied to this new destination, in the ip2. There were no warns, session variables worked just fine.

Isn't that a security problem?

Collapse
Posted by Benjamin Brink on
Hi Iuri,

If you think you have found a security issue, it's good practice to email someone who might be able to confirm the issue and supply a fix *before* posting in forum.

When explaining issue in an email, use something like the recommendations for describing a bug, so that others may be able to replicate the issue.
https://openacs.org/bugtracker/openacs.org/bug-submission-instructions

cheers,
Ben

Collapse
Posted by Iuri Sampaio on
Hi Ben,

Thanks for your explanation and I apologizes for posting in the forum before document it on bug-tracker.

I'll proceed further with doumentation.
Best wishes,

Collapse
Posted by Iuri Sampaio on
Fuerthermore,

How do I know to whom I must assign the bug? I have no idea what package this bug would belong.

The fixes will have to be applied in the core packages such as acs-kernel, acs-authentication, acs-tcl and so on, and I don't know who is responsible for which package.

Perhaps, that's a good example that we could use to clean up a few processes in the BUG tracker workflow. Couldn't we?

Collapse
Posted by Benjamin Brink on
Hi Iuri,

The bug submission form will assign automatic defaults for values that are not required.

cheers,
Ben

Collapse
Posted by Iuri Sampaio on
Hi Ben,

I've opened the thread to confirm that it is an actual bug, before open and assign it to the responsible person. For instance, I'm still reluctant to classify it as a bug because of one main reason.

Both instances are the same. Meaning, they are a copy of source code and DB.

Would that be an argument to explain the behaviour and exempt the scenario from classifying it as bug (i.e. a security breach)

Best wishes,