Try the fastest and simplest way to install ONLYOFFICE

[Community Server] security breach in 9.5.4.553

Tech support for Enterprise Version

[Community Server] security breach in 9.5.4.553

Postby dsi-lille » Fri Apr 20, 2018 10:25 am

Hello,

we have detected a security breach in Community Server version 9.5.4.553 with the feed module.
With this version, a user is able to switch from their accounts to my personal admin account.

Steps :

1 - The user is connected as himself and click on the Feed button

2 - Then, click on an author name

oo.jpg
oo.jpg (8.68 KiB) Viewed 521 times


3 - The user is now connected with my personal account.

Some details :

- My personal account is admin.
- No matter what user is or the author name he clicked, It's always switch with my personal account.
- Only some people have access to the module People (including me).

Upgrading to version 9.6 solves the problem

Thanks,
Yoann
dsi-lille
 
Posts: 200
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] security breach in 9.5.4.553

Postby dsi-lille » Mon Apr 23, 2018 8:51 am

Hello,

i'm trying to reproduce this issue on our test environment with no luck for the moment...
Strange :-/

Yoann.
dsi-lille
 
Posts: 200
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] security breach in 9.5.4.553

Postby Maxim » Thu Apr 26, 2018 8:03 am

Hello Yoann!
Please confirm that you cannot reproduce this issue on your current instance.
Maxim
 
Posts: 1743
Joined: Tue Oct 11, 2016 2:34 pm

Re: [Community Server] security breach in 9.5.4.553

Postby dsi-lille » Thu Apr 26, 2018 12:22 pm

Hello Maxim,

i confirm that i cannot reproduce this issue :

in our production environment since the upgrade to community server 9.6
in our test environment with community server 9.5 but this environment is not like our production one (much less users). Maybe that's why i cannot reproduce the issue on this environment : less users means less data in the feed module...

Thanks,
Yoann
dsi-lille
 
Posts: 200
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] security breach in 9.5.4.553

Postby Maxim » Thu Apr 26, 2018 12:56 pm

Hello dsi-lille!
Great thanks
Maxim
 
Posts: 1743
Joined: Tue Oct 11, 2016 2:34 pm


Return to Enterprise Version

Who is online

Users browsing this forum: No registered users and 2 guests