[ST-250] Insecure direct Object Reference: Confirmation statement - Workterra Jira

Details

Type: Bug
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
None

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete - Closed
Issue Importance:
Must Have

Description

URL:
https://wt-stage.harbinger.in/Assets/Temp/d4b28f08-dfb5-4923-850c-c53bac2383f6.pdf

Description:
login with employee credentials and in confirmation statement there is
Option to export pdf. This link can be directly accessed and viewed from different machines without Credentials.

Resolution:
Restrict all post login pages from getting accessed directly.
Authorization of the user specific resource must be implemented and publicly they should not be accessible

Hide

Permalink

Vijayendra Shinde (Inactive) added a comment - 13/Jul/16 08:40 AM - edited

Affected files:

/trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/ACA/Views/ACA/ACAAnalytics/PCORIReport.cshtml
/trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/UserDetails/Views/UserDetails/EnrollmentSummary/EnrollmentSummary.cshtml

Newly added:
SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.cshtml
SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.generated.cs
Web Projects/WORKTERRA/ReportViewer/ViewReport.aspx.cs

Show

Vijayendra Shinde (Inactive) added a comment - 13/Jul/16 08:40 AM - edited Affected files: /trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/ACA/Views/ACA/ACAAnalytics/PCORIReport.cshtml /trunk/WORKTERRAweb/Web/Web Projects/BenAdmin/Areas/UserDetails/Views/UserDetails/EnrollmentSummary/EnrollmentSummary.cshtml Newly added: SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.cshtml SharedFunctionWebTier/SharedFunctionWebTier/Views/Shared/NotFound.generated.cs Web Projects/WORKTERRA/ReportViewer/ViewReport.aspx.cs

Hide

Permalink

Deepali Tidke (Inactive) added a comment - 18/Jul/16 10:05 AM

Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement get downloads.

Sachin Hingole kindly put the comments for PCORI

Show

Deepali Tidke (Inactive) added a comment - 18/Jul/16 10:05 AM Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement get downloads. Sachin Hingole kindly put the comments for PCORI

Hide

Permalink

Sachin Hingole (Inactive) added a comment - 18/Jul/16 10:11 AM

PCORI is downloaded without issue for Partner Login.
It does nothing when tried using admin login.

Steps
1] Log in to WT-Stage using ADMIN login
2] Go to ACA -> ACA Analytics -> PCORI ->
3] Provide date range and click on Preview button
4] Click on PDF button from top of page

actual result - does nothing, refer error log 07_18_2016_15_39_20_921_3864_2.txt
expected result - It should download pdf

Show

Sachin Hingole (Inactive) added a comment - 18/Jul/16 10:11 AM PCORI is downloaded without issue for Partner Login. It does nothing when tried using admin login. Steps 1] Log in to WT-Stage using ADMIN login 2] Go to ACA -> ACA Analytics -> PCORI -> 3] Provide date range and click on Preview button 4] Click on PDF button from top of page actual result - does nothing, refer error log 07_18_2016_15_39_20_921_3864_2.txt expected result - It should download pdf

Hide

Permalink

Vijayendra Shinde (Inactive) added a comment - 19/Jul/16 05:39 AM

Hi Deepali,

We have authorized report viewer urls as well. When we run reports, reports run in new windows with URL exposed. If user copied that URL and pasted it in new browser, we have redirected user on Login page. So unauthorized user will not be able to view reports.

Please verify this once.

Show

Vijayendra Shinde (Inactive) added a comment - 19/Jul/16 05:39 AM Hi Deepali, We have authorized report viewer urls as well. When we run reports, reports run in new windows with URL exposed. If user copied that URL and pasted it in new browser, we have redirected user on Login page. So unauthorized user will not be able to view reports. Please verify this once.

Hide

Permalink

Kumar Chhajed (Inactive) added a comment - 19/Jul/16 11:49 AM

Vijayendra Shinde

Files affected -

/Database Objects/OnlineEnrollment/07_Data/25_WT250_WTB_ACA_ModData_PageLevelAccess.sql

Show

Kumar Chhajed (Inactive) added a comment - 19/Jul/16 11:49 AM Vijayendra Shinde Files affected - /Database Objects/OnlineEnrollment/07_Data/25_WT250_WTB_ACA_ModData_PageLevelAccess.sql

Hide

Permalink

Sachin Hingole (Inactive) added a comment - 19/Jul/16 12:12 PM

Verified the fix for above comment related to Company Admin User login.
Company Admin able to download PDF without error.

Show

Sachin Hingole (Inactive) added a comment - 19/Jul/16 12:12 PM Verified the fix for above comment related to Company Admin User login. Company Admin able to download PDF without error.

Hide

Permalink

Deepali Tidke (Inactive) added a comment - 19/Jul/16 12:14 PM

Vijayendra Shinde I have verified report URL's on LB , now if user copied report URL that opened in new window and pasted it in new browser, it gets redirected on Login page

Show

Deepali Tidke (Inactive) added a comment - 19/Jul/16 12:14 PM Vijayendra Shinde I have verified report URL's on LB , now if user copied report URL that opened in new window and pasted it in new browser, it gets redirected on Login page

Hide

Permalink

Sachin Hingole (Inactive) added a comment - 24/Jul/16 07:40 AM

PCORI is downloaded without issue for Partner Login and Admin Login.

Deepali Tidke Please verify confirmation statement report using all log in.

Show

Sachin Hingole (Inactive) added a comment - 24/Jul/16 07:40 AM PCORI is downloaded without issue for Partner Login and Admin Login. Deepali Tidke Please verify confirmation statement report using all log in.

Hide

Permalink

Deepali Tidke (Inactive) added a comment - 25/Jul/16 09:05 AM - edited

Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement downloads.

Show

Deepali Tidke (Inactive) added a comment - 25/Jul/16 09:05 AM - edited Checked the Confirmation statement from EE, partner and admin level >> now on click of PDF for confirmation statement >> statement downloads.

Hide

Permalink

Kumar Chhajed (Inactive) added a comment - 28/Jul/16 06:20 AM

Vijayendra Shinde Deepali Tidke Sachin Hingole

Note - The point deployed under this JIRA on Production is only for the issue of PCORI download for Admin login. Other points will get deployed after production build.

Show

Kumar Chhajed (Inactive) added a comment - 28/Jul/16 06:20 AM Vijayendra Shinde Deepali Tidke Sachin Hingole Note - The point deployed under this JIRA on Production is only for the issue of PCORI download for Admin login. Other points will get deployed after production build.

Hide

Permalink

Sachin Hingole (Inactive) added a comment - 28/Jul/16 07:43 AM

PCORI is downloaded without issue for Partner Login and Admin Login.

Deepali Tidke Please verify confirmation statement report using all log in and close this JIRA.

Show

Sachin Hingole (Inactive) added a comment - 28/Jul/16 07:43 AM PCORI is downloaded without issue for Partner Login and Admin Login. Deepali Tidke Please verify confirmation statement report using all log in and close this JIRA.

Hide

Permalink

Rakesh Roy (Inactive) added a comment - 01/Aug/16 06:26 PM

Working fine for confirmation statement.

Show

Rakesh Roy (Inactive) added a comment - 01/Aug/16 06:26 PM Working fine for confirmation statement.

People

Assignee:: Sachin Hingole (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Kumar Chhajed (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 13/Jul/16 07:22 AM

Updated:: 01/Aug/16 06:26 PM

Resolved:: 01/Aug/16 06:26 PM

Pre-Prod Due Date:: 25/Jul/2016

Production Due Date:: 26/Jul/2016

Details

Description

Attachments

Attachments

Activity

People

Dates