Logged in users can gain access to the management GUI and change some parameters

Issue #321 resolved
Mika Myllynen
created an issue

The application can be tricked to show the administrative GUI by a non-privileged user by manipulating the JSON reply data. Most management actions correctly check the real privileges at the server but at least the user repository configuration data can be edited. Uploading a plugin is also possible.

Steps to reproduce:

  1. Log in to the SCM webapp
  2. Trap the response to the authentication/state.json action. The response contains user clientConfig parameters.
  3. In the config parameters replace: "admin":false with "admin":true
  4. You will see the admin GUI but not the admin data
  5. Go to Config. You will get an error of loading the config data and cannot edit most of the fields. However, in the bottom there is the section about User repositories. You can edit and save that section.
  6. Similarly, you can upload a plugin. It was not tested whether a valid plugin would be inserted into the running configuration however.

Comments (5)

  1. Sebastian Sdorra repo owner
    • changed status to open

    Uploading a plugin with this way results in "sonia.scm.security.ScmSecurityException: admin account is required". The section about the "User repositories" come from the userrepo-plugin. So i will change the component to userrepo-plugin.

  2. Log in to comment