AnsweredAssumed Answered

Possible security leak

Question asked by simon on May 10, 2006
Latest reply on May 12, 2006 by simon
Hi Alfresco,

I accidentally run into this issue where a normal user can access the Administration Console, seems like a serious problem. You only need the URL to the Administration Console (or any other A.C. related link): http://youralfresco:8080/alfresco/faces/jsp/admin/admin-console.jsp

This will bring you to the login page where you login with a random user and… voila! I logged in as a user with almost no permissions and have now access to the Administration Console.  I get a "no permission" error when I try to change something so it's read-only access but still…

I tested this on the Alfresco 1.2.0 Enterprise release (with and without LDAP authentication enabled).