logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
Joe Payne2  
#1 Posted : Tuesday, July 26, 2022 3:19:30 PM(UTC)
Joe Payne2

Rank: Advanced Member

Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564

Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
For security reasons I will keep this suggestion vague. PM me if you want to discuss privately.

AC9 admin permissions are enforced through a combination of two factors. And only those two factors. Both factors are controlled by an unencrypted file stored on the web server.

Should the web server ever get compromised, A simple text edit could grant any admin user full access to the all areas regardless of their current security group assignment. A low-level Catalog Admin could suddenly have permissions to payment gateways, assets folders, html snippets etc. And it did not require a recompile, or even a restart of the app pool.

This seems very insecure.

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Tuesday, July 26, 2022 6:09:51 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 451

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Thanks for pointing this out. We will discuss the issue.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
ray22901031  
#3 Posted : Tuesday, July 26, 2022 8:41:02 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 833

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Hi Katie,

It all used to be under one file before 9.0.4, the move from 9.03 to 9.04 went to 2 text files because of the bug where a user could find their way to the customer profile area without being granted permission.

On 9.0.4, one file controls what you see, the menu options, and the other file controls the actions. I have spent hours manipulating these two files to get exactly what I want.

Since this is being brought up again, the easiest solution is to encrypt the two text files, but the better solution is to finally enhance the user access to the database level. I know it's a lot of work, but this is the one area of AbleCommerce that still stuck in prehistoric times.

Joe's analogy would only work if the user was able to log into AbleCommerce in the first place. Since user logins are stored at the database level. Using a CDN, we can limit who can actually log into the admin pages by restricting IP's. Another feature that would be of great benefit to users. My users can only log in at work, but if they had the skills to manipulate the IIS server, then it could become a reality.

How nice it would be if, within the groups, you could tweak access to the system using checkboxes. You're also missing a group that deals directly with customers. An "order admin" is useless without having the ability to create new customers, using version 9.03 we were able to bypass this limitation by taking advantage of a bug in the header. This was fixed in 9.0.4.

Hope some of this helps,
-Ray
Katie S  
#4 Posted : Wednesday, July 27, 2022 12:07:30 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 451

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Thanks for making some good points Ray and thank you again for bringing this to our attention Joe.

We have discussed this in the past and again today. An alternate solution was brought up to decorate controller/action methods with authorize attributes with appropriate parameters. This is a huge change where we need to decorate 80% to 90% of action methods and then have to test for each admin group.

This could be done, but probably for a future release. We need to consider that any time a server is compromised, there are bigger issues at hand. If a user can breach a server, then there are several security vulnerabilities, and we can't stop all of them.

Quote:
An "order admin" is useless without having the ability to create new customers


I opened an issue in Jira for this, ref. AC9-2023.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.