[ST-250] Insecure direct Object Reference: Confirmation statement - Workterra Jira

Details

Type: Bug
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
None

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete - Closed
Issue Importance:
Must Have

Description

URL:
https://wt-stage.harbinger.in/Assets/Temp/d4b28f08-dfb5-4923-850c-c53bac2383f6.pdf

Description:
login with employee credentials and in confirmation statement there is
Option to export pdf. This link can be directly accessed and viewed from different machines without Credentials.

Resolution:
Restrict all post login pages from getting accessed directly.
Authorization of the user specific resource must be implemented and publicly they should not be accessible

Hide

Permalink

Sachin Hingole (Inactive) added a comment - 24/Jul/16 07:40 AM

PCORI is downloaded without issue for Partner Login and Admin Login.

Deepali Tidke Please verify confirmation statement report using all log in.

Show

Sachin Hingole (Inactive) added a comment - 24/Jul/16 07:40 AM PCORI is downloaded without issue for Partner Login and Admin Login. Deepali Tidke Please verify confirmation statement report using all log in.

Hide

Permalink

Deepali Tidke (Inactive) added a comment - 25/Jul/16 09:05 AM - edited

Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement downloads.

Show

Deepali Tidke (Inactive) added a comment - 25/Jul/16 09:05 AM - edited Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement downloads.

Hide

Permalink

Kumar Chhajed (Inactive) added a comment - 28/Jul/16 06:20 AM

Vijayendra Shinde Deepali Tidke Sachin Hingole

Note - The point deployed under this JIRA on Production is only for the issue of PCORI download for Admin login. Other points will get deployed after production build.

Show

Kumar Chhajed (Inactive) added a comment - 28/Jul/16 06:20 AM Vijayendra Shinde Deepali Tidke Sachin Hingole Note - The point deployed under this JIRA on Production is only for the issue of PCORI download for Admin login. Other points will get deployed after production build.

Hide

Permalink

Sachin Hingole (Inactive) added a comment - 28/Jul/16 07:43 AM

PCORI is downloaded without issue for Partner Login and Admin Login.

Deepali Tidke Please verify confirmation statement report using all log in and close this JIRA.

Show

Sachin Hingole (Inactive) added a comment - 28/Jul/16 07:43 AM PCORI is downloaded without issue for Partner Login and Admin Login. Deepali Tidke Please verify confirmation statement report using all log in and close this JIRA.

Hide

Permalink

Rakesh Roy (Inactive) added a comment - 01/Aug/16 06:26 PM

Working fine for confirmation statement.

Show

Rakesh Roy (Inactive) added a comment - 01/Aug/16 06:26 PM Working fine for confirmation statement.

People

Assignee:: Sachin Hingole (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Kumar Chhajed (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 13/Jul/16 07:22 AM

Updated:: 01/Aug/16 06:26 PM

Resolved:: 01/Aug/16 06:26 PM

Pre-Prod Due Date:: 25/Jul/2016

Production Due Date:: 26/Jul/2016

Details

Description

Attachments

Attachments

Activity

People

Dates