Details
-
Bug
-
Resolution: Invalid
-
High
-
5.4.9
-
None
-
PHP 5.6.28, Apache 2.4.18
Description
Under certain circumstances, anonymous users are sometimes able to see pages which they should not have access to. There could be security implications if session data can be accessed out of context.
Steps to reproduce:
1. Prepare test eZ Publish 5.4 with demo content, fully updated (latest version is 5.4.9). Set the admin user to admin/admin;
2. Enable HTTP cache in webserver:
Ref:
https://github.com/ezsystems/ezpublish-community/blob/master/doc/apache2/vhost.template
https://github.com/ezsystems/ezpublish-community/blob/master/doc/nginx/nginx.rst
3. Enable HTTP cache in eZ Publish, as detailed in the documentation: https://doc.ez.no/display/DEVELOPER/HTTP+Cache#HTTPCache-CacheandExpirationConfiguration
ezpublish: system: eng: content: view_cache: true # Activates HttpCache for content ttl_cache: true # Activates expiration based HttpCache for content (very fast) default_ttl: 60 # Number of seconds an Http response is valid in cache (if ttl_cache is true)
4. Go to the "eng" frontend siteaccess, and login as admin;
5. Go to the "Partner" section, and click on one of the existing logos ("eZ Logo Black" or "eZ Logo White"). In my test, I went to http://example.com/eng/Partner/eZ-Logo-Black;
6. Run garbage collection. For practical reasons, a valid alternative is to manually delete the relevant session file. To do this, check your cookies on the browser console, and make a note of the value of the eZSESSID cookie (the plain eZSESSID key). Then look into /var/lib/php/sessions/ (or find where your OS stores sessions):
sudo ls -lah /var/lib/php/sessions
You should see a session id that matches your key value. Delete that session:
sudo rm /var/lib/php/sessions/sess_<key>
7. Quickly go to http://example.com/eng/Partner/eZ-Logo-Black. This has to be done within 60 seconds because that's the value of the HTTP cache expiration, as set in step #3 (feel free to adjust that for convenience of course).
- Expected behavior: I should be immediately logged out and asked to log back in
- Actual behavior: I am not logged out until the HTTP cache expires (60 seconds in this test).