Vote

Creating tenants with a prefix only, causes security issues

description

The following scenario describes a case when a tenants are being created with a URL prefix only

Default tenant

url: http://localhost
user: admin

Tenant1

url: http://localhost/tenant1
user: administrator

When logged in as a admin user within a default tenant it is possible to access a tenant1 as a administrator without passing any credentials for tenant1.

comments

sebastienros wrote Dec 11, 2012 at 8:20 PM

When the cookie is generated, just assign the Path property with the prefix.

sebastienros wrote Dec 11, 2012 at 8:25 PM

FormsAuthenticationService line 49

Item 365 of 1474 Previous | Next

work item details

Item number:	19229
User comments:	2
Status:	Active
Reason Closed:	Unassigned
Type:	Issue
Impact:	Low
Release:	Orchard 1.7
Assigned to:	Unassigned
Component:
Reported on: Reported by:	Nov 7, 2012 at 7:33 AM pguzewicz
Updated on: Updated by:	Dec 11, 2012 at 8:25 PM sebastienros
Closed on: Closed by:	n/a n/a

Keyboard shortcuts are available for this page.

Updating...

Creating tenants with a prefix only, causes security issues

description

file attachments

comments

work item details

Updating...

Woops...X

Are you sure?X

Creating tenants with a prefix only, causes security issues

description

file attachments

comments

work item details