This bug may cause major data breach
Posted: 20 Sep 2021, 13:08
We are building our CRM system based on Rukovoditel and our Developer found bug which can cause huge data security breach, especially if somebody is using system as Portal for their clients.
Case is related to all Access Groups and with active option: ‘View only records assign to you’.
In the entity where are existing records there is an option ‘Edit’ in Action tab, and there is hidden address, i.e.: https://xxx/index.php?module=items/form ... age[100]=1
When pasting this link to browser and changing [id] for different value (i.e. 2) you can see record with id 2 and you can change fields values even if record is not assigned to you and you are not an Admin or you don’t have permission to edit this record.
So system is not checking ‘Assiged to’ while displaying these records.
This way anyone, regardless of their Access group and edit permissions can see and edit all records in the system.
Also please take a look on Access Rules in entities as access conditions (i.e. edit only when particular status etc.) are not checked while pasting link to your browser.
Case is related to all Access Groups and with active option: ‘View only records assign to you’.
In the entity where are existing records there is an option ‘Edit’ in Action tab, and there is hidden address, i.e.: https://xxx/index.php?module=items/form ... age[100]=1
When pasting this link to browser and changing [id] for different value (i.e. 2) you can see record with id 2 and you can change fields values even if record is not assigned to you and you are not an Admin or you don’t have permission to edit this record.
So system is not checking ‘Assiged to’ while displaying these records.
This way anyone, regardless of their Access group and edit permissions can see and edit all records in the system.
Also please take a look on Access Rules in entities as access conditions (i.e. edit only when particular status etc.) are not checked while pasting link to your browser.