|
Author
|
Message
|
|
Lazaro Ferreira
|
Thursday 01 June 2006 2:42:35 am
Hi, I would like to know why ezpublish (...ENTERPRISE...) is delivered with an anonymous user that can read sensitive information like USER Folder ? Shouldn't be better for an Enterprise System like EZPublish having this permission revoked Regards
Lazaro
http://www.mzbusiness.com
|
|
Kristian Hole
|
Sunday 04 June 2006 5:19:47 pm
eZ publish does not give you access to the users folder if you are anonymous. Which version of eZ publish are you running?
Kristian
http://ez.no/ez_publish/documenta...tricks/show_which_templates_are_used
http://ez.no/doc/ez_publish/techn...te_operators/miscellaneous/attribute
|
|
K259
|
Sunday 11 June 2006 1:59:58 pm
Lazaro, do you have some example urls of this?
|
|
K259
|
Monday 12 June 2006 5:33:25 am
Is this btw. a (known) security problem?
|
|
Lazaro Ferreira
|
Monday 12 June 2006 8:24:49 am
Hi Kristian, We detect this problem in more than one setup of EZP 3.4+, however my colleague said to me that the problem doesn't appear in EZP 3.6+ Probably could be a good ideia to alert partners and users with version EZP 3.4+ about this issue Regards
Lazaro
http://www.mzbusiness.com
|
|
Lazaro Ferreira
|
Monday 12 June 2006 8:49:49 am
Hi, I've forgot to give you the URL http://yourdomain/users or http://yourdomain/yoursiteaccess/users
Lazaro
http://www.mzbusiness.com
|
|
Jeroen Sangers
|
Monday 12 June 2006 11:00:16 am
I can't access those URL's with mu eZ Publish installation. Did you make any changes in the permissions?
|
|
Vidar Langseid
|
Tuesday 13 June 2006 2:00:56 am
It is *not* possible for the anonymous user to read sensitive information like the user folder in any version of eZ publish.
It is claimed in this forum thread that eZ publish versions between 3.4 and 3.6 is affected by this flaw. This is not true. We have tested and can confirm that the following versions do indeed behave as expected:
3.4.0
3.4.7
3.5.0
3.5.10 Lazaro, since you have this misbehavior on your sites it must be because you have modifided the anonymous' privileges. eZ publish is not shipped with such privileges on the anonymous user by default.
|
|
Lazaro Ferreira
|
Tuesday 13 June 2006 3:55:30 am
Hi Vidar, Actually the problem was detected in EZP 3.4.2, and EZP 3.5.1 I can assure you that we haven't modify any privileges (at least explicitly ) for the anonymous user here, so I think the problem could be related to our usual setup Our setup are tipically done using the ez setup wizard, using URL access, two languages (pt and uk) and corporate package plus some features like (forums, etc) at setup time, every site affected had been added a second design siteaccess folder manually, after finishing the setup
Lazaro
http://www.mzbusiness.com
|
|
Vidar Langseid
|
Tuesday 13 June 2006 7:42:44 am
Hi Well, I just tried myself on 3.5.1
using URL access,
two languages (portugeese and uk)
corporate package
plus features like (forums, mediafiles and shop) at setup time I am still unable to reproduce this.
After installation, the anonymous has the following roles (which is correct):
content read Section( Standard )
content pdf Section( Standard )
shop buy No limitations
rss read No limitations
user login SiteAccess( corporate ) What kind of policies do you have in your installation for the anonymous user?
Best regards,
VidarL
|
