Forum OpenACS Development: Security breach switching ips

Posted by Iuri Sampaio on 12/02/17 01:23 AM

Hi there,

There are 2 installations of OpenACS, both remote, using different IPs, even hosted on different servers.
Locally, on my computer, I've assigned ip1 to evex.co, within the file /etc/hosts. I've started using the system, I've logged and browsed a few pages on admin's sections, as such: https://evex.co/admin/site-map/?root_id=692

Then, "locally, on my computer", I switched IP's to evex.co
Ex1. 200.163.19.6 evex.co
Ex2. 192.163.17.8 evex.co

I went back to the browser and continued playing in the system, and surprisingly I was allowed to do everything as if I were logged. In fact, I was logged and all the effects would have be applied to this new destination, in the ip2. There were no warns, session variables worked just fine.

Isn't that a security problem?

2: Re: Security breach switching ips (response to 1)

Posted by Benjamin Brink on 12/02/17 04:04 AM

Hi Iuri,

If you think you have found a security issue, it's good practice to email someone who might be able to confirm the issue and supply a fix *before* posting in forum.

When explaining issue in an email, use something like the recommendations for describing a bug, so that others may be able to replicate the issue.
https://openacs.org/bugtracker/openacs.org/bug-submission-instructions

cheers,
Ben

3: Re: Security breach switching ips (response to 2)

Posted by Iuri Sampaio on 12/05/17 02:58 AM

Hi Ben,

Thanks for your explanation and I apologizes for posting in the forum before document it on bug-tracker.

I'll proceed further with doumentation.
Best wishes,

4: Re: Security breach switching ips (response to 3)

Posted by Iuri Sampaio on 12/05/17 03:06 AM

Fuerthermore,

How do I know to whom I must assign the bug? I have no idea what package this bug would belong.

The fixes will have to be applied in the core packages such as acs-kernel, acs-authentication, acs-tcl and so on, and I don't know who is responsible for which package.

Perhaps, that's a good example that we could use to clean up a few processes in the BUG tracker workflow. Couldn't we?

5: Re: Security breach switching ips (response to 4)

Posted by Benjamin Brink on 12/05/17 05:17 AM

Hi Iuri,

The bug submission form will assign automatic defaults for values that are not required.

cheers,
Ben

6: Re: Security breach switching ips (response to 5)

Posted by Iuri Sampaio on 12/05/17 06:21 PM

Hi Ben,

I've opened the thread to confirm that it is an actual bug, before open and assign it to the responsible person. For instance, I'm still reluctant to classify it as a bug because of one main reason.

Both instances are the same. Meaning, they are a copy of source code and DB.

Would that be an argument to explain the behaviour and exempt the scenario from classifying it as bug (i.e. a security breach)

Best wishes,