View Issue Details

IDProjectCategoryView StatusLast Update
14827Bug reportsSecuritypublic2020-03-05 14:03
Reporterbewi Assigned ToLouisGac 
PrioritynormalSeverityminor 
Status confirmedResolutionopen 
Product Version3.17.x 
Summary14827: admin without rights can access pages
Description

admins with limited rights (non superadmins, no access to config area) are able to access the following directories even though they were not linked anywhere in the application:
/index.php/admin/pluginmanager/sa/index
/index.php/admin/menus/sa/view
/index.php/admin/menuentries/sa/view

The users can access the directories, but they can neither add anything to them, nor edit

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Activities

LouisGac

LouisGac

2019-04-30 15:27

developer   ~51702

access directory? I'm not sure to understand. what do you see exactly?

LouisGac

LouisGac

2019-04-30 15:30

developer   ~51703

ok I can reproduce (direct access to the url works, the view is displayed, even if no action on the page is possible)

Issue History

Date Modified Username Field Change
2019-04-30 11:33 bewi New Issue
2019-04-30 13:45 c_schmitz Assigned To => LouisGac
2019-04-30 13:45 c_schmitz Status new => assigned
2019-04-30 13:46 c_schmitz Priority none => urgent
2019-04-30 13:46 c_schmitz Reproducibility have not tried => always
2019-04-30 15:27 LouisGac Note Added: 51702
2019-04-30 15:30 LouisGac Note Added: 51703
2020-03-05 14:03 cdorin Priority urgent => normal
2020-03-05 14:03 cdorin Status assigned => confirmed