Forum OpenACS Development: Security breach switching ips
There are 2 installations of OpenACS, both remote, using different IPs, even hosted on different servers.
Locally, on my computer, I've assigned ip1 to evex.co, within the file /etc/hosts. I've started using the system, I've logged and browsed a few pages on admin's sections, as such: https://evex.co/admin/site-map/?root_id=692
Then, "locally, on my computer", I switched IP's to evex.co
Ex1. 18.104.22.168 evex.co
Ex2. 22.214.171.124 evex.co
I went back to the browser and continued playing in the system, and surprisingly I was allowed to do everything as if I were logged. In fact, I was logged and all the effects would have be applied to this new destination, in the ip2. There were no warns, session variables worked just fine.
Isn't that a security problem?
If you think you have found a security issue, it's good practice to email someone who might be able to confirm the issue and supply a fix *before* posting in forum.
When explaining issue in an email, use something like the recommendations for describing a bug, so that others may be able to replicate the issue.
Thanks for your explanation and I apologizes for posting in the forum before document it on bug-tracker.
I'll proceed further with doumentation.
How do I know to whom I must assign the bug? I have no idea what package this bug would belong.
The fixes will have to be applied in the core packages such as acs-kernel, acs-authentication, acs-tcl and so on, and I don't know who is responsible for which package.
Perhaps, that's a good example that we could use to clean up a few processes in the BUG tracker workflow. Couldn't we?
The bug submission form will assign automatic defaults for values that are not required.
I've opened the thread to confirm that it is an actual bug, before open and assign it to the responsible person. For instance, I'm still reluctant to classify it as a bug because of one main reason.
Both instances are the same. Meaning, they are a copy of source code and DB.
Would that be an argument to explain the behaviour and exempt the scenario from classifying it as bug (i.e. a security breach)