Hi,
Having been successfully hosting our Aspnet Zero based system for several years, we have just encountered a security problem.
A user logged on to a recently created tenancy only to find that the tenancy/user label in the top right corner was referring to a different user on tenancy to which he had no connection.
The menu items he reported seeing were consistent with the permissions of the user labelled in the top right corner, but the data he was seeing was correct for the tenancy to which he logged on.
Please note the following:
- I could find no record in the UserLoginAttempts table for this particular login
- I could find nothing in the error logs to suggest what the problem was
- There is no chance that the user labelled in the top right corner could have ever logged on from that machine
- I am running Aspnet Zero v4.0 on MVC/Jquery.
- I upgraded to ABP v4.5.0 a few months ago.
This is of great concern to us, and am hoping you would be able to shed some light on this.
Many thanks.
Additional information: I have just been informed by my client that the login mentioned above was done via the Linked User functionality. It has also happened once more, this time via an impersonation login
6 Answer(s)
-
0
Hi @philwynn
Using Linked User functionality or impersonation, a user can see data of another user. Is that the case your client is having ? Probably I couldn't understand the problem very well :).
Thanks,
-
0
Hi,
Yes, I am obviously aware that this is the purpose of Linked Users and Impersonation.
The problem we had is that the system displayed tenancy/user information in the header label that was not related to the tenancy/user that was linke to/impersonated. Although, the data displayed was for the correct tenancy.
Also worth mentioning, the correct user/tenancy label was displayed after a page refresh.
I have added some additional logging here to help diagnose the problem. So far, it has happened twice.
Regards
-
0
Hi @philwynn
Thanks, got it now. If you can provide a way to reproduce it, we can take a look.
-
0
HI,
Unfortunately, the bug is intermitent, and I have been unable to reproduce it at will. I have improved logging in this area, so will have more to go on if and when it happens again.
Please could I request that we keep this ticket open for the time being so that I can get back to you if I have any more information.
Many thanks.
-
0
Hi @philwynn
Sure, we can keep it open. If you can send the log files, we can also examine them.
-
0
This issue is closed because it has not had recent activity for a long time.