Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper Access Control on disabling a user. #3343

Closed
sh0lt0 opened this issue Mar 11, 2020 · 2 comments
Closed

Improper Access Control on disabling a user. #3343

sh0lt0 opened this issue Mar 11, 2020 · 2 comments
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Milestone
1.2.11

Comments

@sh0lt0
Copy link

sh0lt0 commented Mar 11, 2020

Describe the bug
Cacti admin console provides a functionality to disable a created user which takes his privileges to perform any action but if a page is auto-refreshed a disabled user can view updated data.

To Reproduce
Steps to reproduce the behavior:

  1. Log in with Admin account and navigate to http://192.168.56.106/cacti/user_admin.php?action=user_edit&id=5&tab=realms
  2. Give the new user permission to view logs.
  3. Login to new user's account and navigate http://192.168.56.106/cacti/clog_user.php
  4. From Admin's account disable the created user.

Actual behavior
A disabled user can view the system logs and the logs are even updating after the refresh time.
Expected behavior
A disabled user should not be privileged to view the system logs.

  • OS: Ubuntu
  • Browser: Firefox
  • Version - Cacti 1.2.8
@TheWitness
Copy link
Member

Yea, the credentials are cached. Thought there was a mechanism to have the credentials replayed when the admin makes a change to the user account.

@TheWitness TheWitness added the enhancement General tag for an enhancement label Mar 12, 2020
@sh0lt0
Copy link
Author

sh0lt0 commented Mar 13, 2020

I understand that permission propagation takes time but it is assumed the best security practice to implement expiry time to the cache.

@TheWitness TheWitness added bug Undesired behaviour SECURITY A security issue reported through CVE and removed enhancement General tag for an enhancement labels Mar 13, 2020
TheWitness added a commit that referenced this issue Mar 13, 2020
@TheWitness
Fixing Issue #3343 and outstanding issue with #3342
25abe64
@TheWitness TheWitness added the resolved A fixed issue label Mar 13, 2020
@TheWitness TheWitness added this to the 1.2.11 milestone Mar 13, 2020
TheWitness added a commit that referenced this issue Mar 24, 2020
@TheWitness
Regression related to automatic logout and guest account for issue #3343
ec0d1f8
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Milestone
1.2.11
Development

No branches or pull requests
2 participants
@TheWitness @sh0lt0