Joomla! Issue Tracker | Joomla! CMS #32903 - [4][com_finder][ACL bypass] Smart Search reveals categories of unpublished/acl restricted categories.

Closed
28 Mar 2021
Medium
Build: staging
# 32903

PhilETaylor
28 Mar 2021

Steps to reproduce the issue

tested on Joomla 4.0-dev

Create a menu link to Smart Search
Visit that menu link and look in the Advanced Search -> Search by category dropdown - note what you see

UNPUBLISH all your categories.

Visit that menu link and look in the Advanced Search -> Search by category dropdown - note what you see

Expected result

I expect to NOT see any categories in the dropdown

Actual result

Smart search is leaking information and displaying the categories in the db

Also

repeat this with setting the categories to an ACL level your public has no access to (like Special or Super Users). Repeat the test. You can now view the categories name of items that are restricted to you by ACL.

This is probably a security issue then as its ACL not being applied correctly too.

@joomla/security

PhilETaylor - open - 28 Mar 2021

joomla-cms-bot - change - 28 Mar 2021

Labels

Added: ?

joomla-cms-bot - labeled - 28 Mar 2021

PhilETaylor - change - 28 Mar 2021

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2021-03-28 18:57:00
Closed_By		⇒	PhilETaylor

PhilETaylor - close - 28 Mar 2021

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#32903] - [4][com_finder][ACL bypass] Smart Search reveals categories of unpublished/acl restricted categories.

Steps to reproduce the issue

Expected result

Actual result

Also

Add a Comment