Recycler: Possible security issue
I found out that a regular BE user which has no access to the module recycler can have access to URL like this
This is a potential security hole since a BE user could play with the URL and get not allowed information. I suggest to add at the top of file class/controller/class.tx_recycler_controller_ajax.php a simple check:
// Check whether the user has access to the module global $BE_USER; $MCONF['name'] = 'web_txrecyclerM1'; $MCONF['access'] = 'user,group'; $BE_USER->modAccess($MCONF, 1); // This checks makes sure the user has the permissions to access this class. Exits if that's not the case.
#4 Updated by Helmut Hummel over 7 years ago
- Status changed from New to Rejected
- Priority changed from Must have to -- undefined --
- Patch is reviewed set to No
- Has patch set to No
While it is not nice to be able to call the method, there is no information disclosure here, because the access is checked correctly in the class tx_recycler_model_deletedRecords in any case. So the user cannot get or modify anything without the proper permissions.