[#32902] - [4][com_finder][ACL bypass] Smart Search reveals author names of unpublished/acl restricted articles.
- Closed
- 15 May 2021
- Medium
- Build: staging
- # 32902
Steps to reproduce the issue
tested on Joomla 4.0-dev
Create a menu link to Smart Search
Visit that menu link and look in the Advanced Search -> Search by author dropdown - note what you see
Create a new UNPUBLISHED Article. Enter an Author Alias you would recognise. NOTE THE ARTICLE IS UNPUBLISHED.
Visit that menu link and look in the Advanced Search -> Search by author dropdown - note what you see
Expected result
I expect to NOT see the Author Alias of an unpublished item, if there are no published items with that same Author name.
Actual result
Smart search is leaking information and displaying the names of Authors of unpublished items, where there are zero published items by that author.
Also
repeat this with setting the article to an ACL level your public has no access to (like Special or Super Users). Repeat the test. You can now view the author name of items that are restricted to you by ACL.
This is probably a security issue then as its ACL not being applied correctly too.
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Title |
|
||||||
| Title |
|
||||||
We addressed this years ago in j3. Finder in J4 is an almost complete rewrite allegedly
I was surprised to see huge amounts of serialised PHP objects in the db too... almost the whole aricles
This is just for one article!
as well as the published/state/access levels all in #__finder_links - gulp
C:52:"Joomla\Component\Finder\Administrator\Indexer\Result":4456:{a:19:{i:0;i:6;i:1;s:5:"en-GB";i:2;s:6:" test ";i:3;a:25:{s:2:"id";i:1;s:5:"alias";s:4:"test";s:7:"summary";s:11:"<p>test</p>";s:4:"body";s:0:"";s:6:"images";s:173:"{"image_intro":"","image_intro_alt":"","float_intro":"","image_intro_caption":"","image_fulltext":"","image_fulltext_alt":"","float_fulltext":"","image_fulltext_caption":""}";s:5:"catid";i:2;s:10:"created_by";i:418;s:16:"created_by_alias";s:4:"test";s:8:"modified";s:19:"2021-03-31 19:31:03";s:11:"modified_by";i:418;s:6:"params";O:24:"Joomla\Registry\Registry":3:{s:7:"�*�data";O:8:"stdClass":66:{s:14:"article_layout";s:9:"_:default";s:10:"show_title";s:1:"1";s:11:"link_titles";s:1:"1";s:10:"show_intro";s:1:"1";s:13:"show_category";s:1:"1";s:13:"link_category";s:1:"1";s:20:"show_parent_category";s:1:"0";s:20:"link_parent_category";s:1:"0";s:11:"show_author";s:1:"1";s:11:"link_author";s:1:"0";s:16:"show_create_date";s:1:"0";s:16:"show_modify_date";s:1:"0";s:17:"show_publish_date";s:1:"1";s:20:"show_item_navigation";s:1:"1";s:9:"show_vote";s:1:"0";s:9:"show_tags";s:1:"1";s:13:"show_readmore";s:1:"1";s:19:"show_readmore_title";s:1:"1";s:14:"readmore_limit";s:3:"100";s:9:"show_hits";s:1:"1";s:11:"show_noauth";s:1:"0";s:23:"show_publishing_options";s:1:"1";s:20:"show_article_options";s:1:"1";s:12:"save_history";s:1:"1";s:13:"history_limit";i:10;s:25:"show_urls_images_frontend";s:1:"0";s:24:"show_urls_images_backend";s:1:"1";s:7:"targeta";i:0;s:7:"targetb";i:0;s:7:"targetc";i:0;s:11:"float_intro";s:4:"left";s:14:"float_fulltext";s:4:"left";s:15:"category_layout";s:6:"_:blog";s:19:"show_category_title";s:1:"0";s:16:"show_description";s:1:"0";s:22:"show_description_image";s:1:"0";s:8:"maxLevel";s:1:"1";s:21:"show_empty_categories";s:1:"0";s:16:"show_no_articles";s:1:"1";s:16:"show_subcat_desc";s:1:"1";s:21:"show_cat_num_articles";s:1:"0";s:21:"show_base_description";s:1:"1";s:11:"maxLevelcat";s:2:"-1";s:25:"show_empty_categories_cat";s:1:"0";s:20:"show_subcat_desc_cat";s:1:"1";s:25:"show_cat_num_articles_cat";s:1:"1";s:20:"num_leading_articles";s:1:"1";s:18:"num_intro_articles";s:1:"4";s:9:"num_links";s:1:"4";s:24:"show_subcategory_content";s:1:"0";s:16:"link_intro_image";s:1:"0";s:21:"show_pagination_limit";s:1:"1";s:12:"filter_field";s:4:"hide";s:13:"show_headings";s:1:"1";s:14:"list_show_date";s:1:"0";s:11:"date_format";s:0:"";s:14:"list_show_hits";s:1:"1";s:16:"list_show_author";s:1:"1";s:11:"orderby_pri";s:5:"order";s:11:"orderby_sec";s:5:"rdate";s:10:"order_date";s:9:"published";s:15:"show_pagination";s:1:"2";s:23:"show_pagination_results";s:1:"1";s:14:"show_feed_link";s:1:"1";s:12:"feed_summary";s:1:"0";s:7:"sef_ids";i:1;}s:14:"�*�initialized";b:1;s:9:"separator";s:1:".";}s:7:"metakey";s:0:"";s:8:"metadesc";s:0:"";s:8:"metadata";O:24:"Joomla\Registry\Registry":3:{s:7:"�*�data";O:8:"stdClass":3:{s:6:"robots";s:0:"";s:6:"author";s:0:"";s:6:"rights";s:0:"";}s:14:"�*�initialized";b:1;s:9:"separator";s:1:".";}s:7:"version";i:3;s:8:"ordering";i:0;s:8:"category";s:13:"Uncategorised";s:9:"cat_state";i:1;s:10:"cat_access";i:1;s:4:"slug";s:6:"1:test";s:7:"catslug";s:15:"2:uncategorised";s:6:"author";s:5:"admin";s:6:"layout";s:7:"article";s:7:"context";s:19:"com_content.article";s:10:"metaauthor";N;}i:4;N;i:5;a:5:{i:1;a:3:{i:0;s:5:"title";i:1;s:8:"subtitle";i:2;s:2:"id";}i:2;a:2:{i:0;s:7:"summary";i:1;s:4:"body";}i:3;a:8:{i:0;s:4:"meta";i:1;s:10:"list_price";i:2;s:10:"sale_price";i:3;s:7:"metakey";i:4;s:8:"metadesc";i:5;s:10:"metaauthor";i:6;s:6:"author";i:7;s:16:"created_by_alias";}i:4;a:2:{i:0;s:4:"path";i:1;s:5:"alias";}i:5;a:1:{i:0;s:8:"comments";}}i:6;s:1:"*";i:7;N;i:8;N;i:9;s:19:"2021-03-31 19:29:38";i:10;N;i:11;s:59:"index.php?option=com_content&view=article&id=1:test&catid=2";i:12;N;i:13;s:19:"2021-03-31 19:27:02";i:14;i:0;i:15;a:4:{s:4:"Type";a:1:{i:0;O:8:"stdClass":6:{s:5:"title";s:7:"Article";s:5:"state";i:1;s:6:"access";i:1;s:8:"language";s:0:"";s:6:"nested";b:0;s:2:"id";i:3;}}s:6:"Author";a:1:{i:0;O:8:"stdClass":6:{s:5:"title";s:4:"test";s:5:"state";i:1;s:6:"access";i:1;s:8:"language";s:0:"";s:6:"nested";b:0;s:2:"id";i:5;}}s:8:"Category";a:1:{i:0;O:8:"stdClass":6:{s:5:"title";s:13:"Uncategorised";s:5:"state";i:1;s:6:"access";i:1;s:8:"language";s:1:"*";s:6:"nested";b:1;s:2:"id";i:7;}}s:8:"Language";a:1:{i:0;O:8:"stdClass":6:{s:5:"title";s:1:"*";s:5:"state";i:1;s:6:"access";i:1;s:8:"language";s:0:"";s:6:"nested";b:0;s:2:"id";i:9;}}}i:16;s:4:"test";i:17;i:3;i:18;s:46:"index.php?option=com_content&view=article&id=1";}}
Im no com_finder expert.. but storing the full route to items in the db and a full serialised php object per item seems overkill. my finder_links table is over 200Mb in size!
@brianteeman No, we did not address this years ago. We adressed, that words and small phrases could be leaked via the search suggestions. Smart Search in J4 also isn't a rewrite, but incremental enhancements of what we got in J2.5. While none of the features are rocket science, I wouldn't have been able to come up with the combination of all of this and the code is in some cases very different to what I would write. That at the same time also makes it clear to me, that this has also not been developed from the ground up by those who donated it to Joomla. From the coding style, the overall construction, it is pretty clear that this originated as a standalone project somewhere outside of Joomla by one group and was then adapted to our CMS by another group of people. Long story short: I improved it, but didn't rewrite it. Most changes were natural improvements. Some of the biggest changes unfortunately weren't backwards compatible, which is why this is done in J4 and not already in J3.
@PhilETaylor The issue is also present in J3. I don't see a way to prevent this, except for adding parameters in the finder plugins to not store these taxonomies.
The data stored in the finder_links table is indeed a full copy of the sites content, similar to the UCM table. I don't like it either, but I also wouldn't know a different solution to this. At least none that is somewhere as performant as this. If you have a proposal how to better implement this, I'm all ears. We would need it for the tags rewrite at some point as well.
And while writing all of this, I actually do have an idea what to do. I'll post a PR soon.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-15 15:09:39 |
| Closed_By | ⇒ | PhilETaylor |
Joomla 3 is not affected by this.