Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-250

Insecure direct Object Reference: Confirmation statement

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
      None
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have

      Description

      URL:
      https://wt-stage.harbinger.in/Assets/Temp/d4b28f08-dfb5-4923-850c-c53bac2383f6.pdf

      Description:
      login with employee credentials and in confirmation statement there is
      Option to export pdf. This link can be directly accessed and viewed from different machines without Credentials.

      Resolution:
      Restrict all post login pages from getting accessed directly.
      Authorization of the user specific resource must be implemented and publicly they should not be accessible

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Assignee Vijayendra Shinde [ ID10506 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Open [ 1 ] In Development [ 10007 ]
          Hide
          Permalink
          vijayendra Vijayendra Shinde (Inactive) added a comment - - edited

          Affected files:

          /trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/ACA/Views/ACA/ACAAnalytics/PCORIReport.cshtml
          /trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/UserDetails/Views/UserDetails/EnrollmentSummary/EnrollmentSummary.cshtml

          Newly added:
          SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.cshtml
          SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.generated.cs
          Web Projects/WORKTERRA/ReportViewer/ViewReport.aspx.cs

          Show
          vijayendra Vijayendra Shinde (Inactive) added a comment - - edited Affected files: /trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/ACA/Views/ACA/ACAAnalytics/PCORIReport.cshtml /trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/UserDetails/Views/UserDetails/EnrollmentSummary/EnrollmentSummary.cshtml Newly added: SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.cshtml SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.generated.cs Web Projects/WORKTERRA/ReportViewer/ViewReport.aspx.cs
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: In Progress(10206) Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209)
          gokul.sonawane Gokul Sonawane (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209) Parent values: LB QA(10201)
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Deepali Tidke [ deepalit ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Item State Parent values: LB QA(10201) Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)
          deepalit Deepali Tidke (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement get downloads.

          Sachin Hingole kindly put the comments for PCORI

          Show
          deepalit Deepali Tidke (Inactive) added a comment - Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement get downloads. Sachin Hingole kindly put the comments for PCORI
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Status Local Testing [ 10200 ] Reopen in Local [ 10018 ]
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: LB Deployed(11600) Parent values: Development(10200)
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Attachment 07_18_2016_15_39_20_921_3864_2.txt [ 22103 ]
          Hide
          Permalink
          sachin.hingole Sachin Hingole (Inactive) added a comment -

          PCORI is downloaded without issue for Partner Login.
          It does nothing when tried using admin login.

          Steps
          1] Log in to WT-Stage using ADMIN login
          2] Go to ACA -> ACA Analytics -> PCORI ->
          3] Provide date range and click on Preview button
          4] Click on PDF button from top of page

          actual result - does nothing, refer error log 07_18_2016_15_39_20_921_3864_2.txt
          expected result - It should download pdf

          Show
          sachin.hingole Sachin Hingole (Inactive) added a comment - PCORI is downloaded without issue for Partner Login. It does nothing when tried using admin login. Steps 1] Log in to WT-Stage using ADMIN login 2] Go to ACA -> ACA Analytics -> PCORI -> 3] Provide date range and click on Preview button 4] Click on PDF button from top of page actual result - does nothing, refer error log 07_18_2016_15_39_20_921_3864_2.txt expected result - It should download pdf
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Assignee Deepali Tidke [ deepalit ] Vijayendra Shinde [ ID10506 ]
          kumar.chhajed Kumar Chhajed (Inactive) made changes -
          Status Reopen in Local [ 10018 ] In Development [ 10007 ]
          kumar.chhajed Kumar Chhajed (Inactive) made changes -
          Item State Parent values: Development(10200) Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209)
          kumar.chhajed Kumar Chhajed (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Kumar Chhajed [ kumar.chhajed ]
          Hide
          Permalink
          vijayendra Vijayendra Shinde (Inactive) added a comment -

          Hi Deepali,

          We have authorized report viewer urls as well. When we run reports, reports run in new windows with URL exposed. If user copied that URL and pasted it in new browser, we have redirected user on Login page. So unauthorized user will not be able to view reports.

          Please verify this once.

          Show
          vijayendra Vijayendra Shinde (Inactive) added a comment - Hi Deepali, We have authorized report viewer urls as well. When we run reports, reports run in new windows with URL exposed. If user copied that URL and pasted it in new browser, we have redirected user on Login page. So unauthorized user will not be able to view reports. Please verify this once.
          gokul.sonawane Gokul Sonawane (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: Ready for Local Testing(10209) Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)
          kumar.chhajed Kumar Chhajed (Inactive) made changes -
          Assignee Kumar Chhajed [ kumar.chhajed ] Sachin Hingole [ sachin.hingole ]
          kumar.chhajed Kumar Chhajed (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          Hide
          Permalink
          kumar.chhajed Kumar Chhajed (Inactive) added a comment -

          Vijayendra Shinde

          Files affected -

          /Database Objects/OnlineEnrollment/07_Data/25_WT250_WTB_ACA_ModData_PageLevelAccess.sql

          Show
          kumar.chhajed Kumar Chhajed (Inactive) added a comment - Vijayendra Shinde Files affected - /Database Objects/OnlineEnrollment/07_Data/25_WT250_WTB_ACA_ModData_PageLevelAccess.sql
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: LB Deployed(11600) Parent values: LB QA(10201)Level 1 values: In Testing(10210)
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Status Local Testing [ 10200 ] Reopen in Local [ 10018 ]
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Status Reopen in Local [ 10018 ] In Development [ 10007 ]
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: In Testing(10210) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          Hide
          Permalink
          sachin.hingole Sachin Hingole (Inactive) added a comment -

          Verified the fix for above comment related to Company Admin User login.
          Company Admin able to download PDF without error.

          Show
          sachin.hingole Sachin Hingole (Inactive) added a comment - Verified the fix for above comment related to Company Admin User login. Company Admin able to download PDF without error.
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Stage Due Date 25/Jul/16 [ 2016-07-25 ]
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          Vijayendra Shinde I have verified report URL's on LB , now if user copied report URL that opened in new window and pasted it in new browser, it gets redirected on Login page

          Show
          deepalit Deepali Tidke (Inactive) added a comment - Vijayendra Shinde I have verified report URL's on LB , now if user copied report URL that opened in new window and pasted it in new browser, it gets redirected on Login page
          deepalit Deepali Tidke (Inactive) made changes -
          Production Due Date 26/Jul/2016
          Hide
          Permalink
          sachin.hingole Sachin Hingole (Inactive) added a comment -

          PCORI is downloaded without issue for Partner Login and Admin Login.

          Deepali Tidke Please verify confirmation statement report using all log in.

          Show
          sachin.hingole Sachin Hingole (Inactive) added a comment - PCORI is downloaded without issue for Partner Login and Admin Login. Deepali Tidke Please verify confirmation statement report using all log in.
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment - - edited

          Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement downloads.

          Show
          deepalit Deepali Tidke (Inactive) added a comment - - edited Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement downloads.
          deepalit Deepali Tidke (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          deepalit Deepali Tidke (Inactive) made changes -
          Status Local Testing [ 10200 ] Stage Testing [ 10201 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Status Stage Testing [ 10201 ] Production Testing [ 10202 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Developer Kumar Chhajed [ kumar.chhajed ]
          ashwin.wankhede Ashwin Wankhede (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          Hide
          Permalink
          kumar.chhajed Kumar Chhajed (Inactive) added a comment -

          Vijayendra Shinde Deepali Tidke Sachin Hingole

          Note - The point deployed under this JIRA on Production is only for the issue of PCORI download for Admin login. Other points will get deployed after production build.

          Show
          kumar.chhajed Kumar Chhajed (Inactive) added a comment - Vijayendra Shinde Deepali Tidke Sachin Hingole Note - The point deployed under this JIRA on Production is only for the issue of PCORI download for Admin login. Other points will get deployed after production build.
          kumar.chhajed Kumar Chhajed (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          Hide
          Permalink
          sachin.hingole Sachin Hingole (Inactive) added a comment -

          PCORI is downloaded without issue for Partner Login and Admin Login.

          Deepali Tidke Please verify confirmation statement report using all log in and close this JIRA.

          Show
          sachin.hingole Sachin Hingole (Inactive) added a comment - PCORI is downloaded without issue for Partner Login and Admin Login. Deepali Tidke Please verify confirmation statement report using all log in and close this JIRA.
          sachin.hingole Sachin Hingole (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Production QA(10203)Level 1 values: In Testing(10218)
          Hide
          Permalink
          rakeshr Rakesh Roy (Inactive) added a comment -

          Working fine for confirmation statement.

          Show
          rakeshr Rakesh Roy (Inactive) added a comment - Working fine for confirmation statement.
          rakeshr Rakesh Roy (Inactive) made changes -
          Resolution Fixed [ 1 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: In Testing(10218) Parent values: Production Complete(10222)Level 1 values: Closed(10223)
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Production Complete [ 10028 ] Closed [ 6 ]
          Transition Time In Source Status Execution Times
          Vijayendra Shinde (Inactive) made transition -
          Open In Development
          		17s 1
          Sachin Hingole (Inactive) made transition -
          In LB Testing Reopen in Local
          		1h 25m 2
          Sachin Hingole (Inactive) made transition -
          Reopen in Local In Development
          		1h 30m 2
          Sachin Hingole (Inactive) made transition -
          In Development In LB Testing
          		6d 1h 51m 3
          Deepali Tidke (Inactive) made transition -
          In LB Testing Stage Testing
          		5d 20h 54m 1
          Deepali Tidke (Inactive) made transition -
          Stage Testing In Production Testing
          		2s 1
          Rakesh Roy (Inactive) made transition -
          In Production Testing Production Complete
          		7d 9h 20m 1
          Rakesh Roy (Inactive) made transition -
          Production Complete Closed
          		14s 1

            People

            Assignee:
            sachin.hingole Sachin Hingole (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Kumar Chhajed (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Pre-Prod Due Date:
              Production Due Date: