Credit Card Processor settings visible in LSE History
Bug #1206589 reported by
Jason Boyer
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Critical
|
Unassigned | ||
2.5 |
Fix Released
|
Undecided
|
Unassigned | ||
2.6 |
Fix Released
|
Undecided
|
Unassigned | ||
2.7 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Eg 2.4.0
OSRF 2.2
The Library Settings Editor will hide CC processor settings from users who lack the VIEW_CREDIT_
reproduction:
User with ADMIN_CREDIT_
User without VIEW_CREDIT_
User clicks History, sees the date, context, previous and new settings.
I would expect that the setting history function consult the permission's view_perm, just like the editor does.
information type: | Public → Private Security |
Changed in evergreen: | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
Changed in evergreen: | |
status: | Confirmed → Fix Committed |
milestone: | none → 2.8-beta |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
While the initial bug report indicates this a problem in the Library
Settings Editor's history functions only, the underlying cause turns
out to be yet another remote vulnerability. Any user who can
authenticate to Evergreen and make the proper open-ils.pcrud calls can
view the history of any setting, including those that are sensitive.
This happens because the permacrud action entries in the IDL for the
coustl object lists no required permission for retrieve. Thus, no
permission is required and once anonymous pcrud goes in, no login
would be required either.
An immediate fix for this would be to add a permission, just about any
permission that a patron would not have will do, to the retrieve
action in couustl's permacrud block.
A longer winded fix will appear in a forthcoming comment. There are a
number of things "wrong" about this feature.