Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-26763

Issue with authenticated caches being shared with anonymous users

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Invalid
    • Icon: High High
    • Customer request
    • 5.4.9
    • Caching, Security
    • None

    • PHP 5.6.28, Apache 2.4.18

    Description

      Under certain circumstances, anonymous users are sometimes able to see pages which they should not have access to. There could be security implications if session data can be accessed out of context.

      Steps to reproduce:

      1. Prepare test eZ Publish 5.4 with demo content, fully updated (latest version is 5.4.9). Set the admin user to admin/admin;
      2. Enable HTTP cache in webserver:

      Ref:
      https://github.com/ezsystems/ezpublish-community/blob/master/doc/apache2/vhost.template
      https://github.com/ezsystems/ezpublish-community/blob/master/doc/nginx/nginx.rst

      3. Enable HTTP cache in eZ Publish, as detailed in the documentation: https://doc.ez.no/display/DEVELOPER/HTTP+Cache#HTTPCache-CacheandExpirationConfiguration

      ezpublish:
    system:
        eng:
            content:
                view_cache: true      # Activates HttpCache for content
                ttl_cache: true       # Activates expiration based HttpCache for content (very fast)
                default_ttl: 60       # Number of seconds an Http response is valid in cache (if ttl_cache is true)

      4. Go to the "eng" frontend siteaccess, and login as admin;
      5. Go to the "Partner" section, and click on one of the existing logos ("eZ Logo Black" or "eZ Logo White"). In my test, I went to http://example.com/eng/Partner/eZ-Logo-Black;
      6. Run garbage collection. For practical reasons, a valid alternative is to manually delete the relevant session file. To do this, check your cookies on the browser console, and make a note of the value of the eZSESSID cookie (the plain eZSESSID key). Then look into /var/lib/php/sessions/ (or find where your OS stores sessions):

      sudo ls -lah /var/lib/php/sessions

      You should see a session id that matches your key value. Delete that session:

      sudo rm /var/lib/php/sessions/sess_<key>

      7. Quickly go to http://example.com/eng/Partner/eZ-Logo-Black. This has to be done within 60 seconds because that's the value of the HTTP cache expiration, as set in step #3 (feel free to adjust that for convenience of course).

      • Expected behavior: I should be immediately logged out and asked to log back in
      • Actual behavior: I am not logged out until the HTTP cache expires (60 seconds in this test).

      Attachments

        Activity

          People

            Unassigned Unassigned
            nuno.oliveira-obsolete@ez.no Nuno Oliveira (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: