The Joomla! Forum ™

Download

Demo


Board index » Joomla! 2.5 - Ask Support Questions Here » Security in Joomla! 2.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 6 posts ] 
  Print view Previous topic | Next topic 
Author Message
TDZWeb
PostPosted: Sun May 27, 2012 8:41 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 24, 2011 11:20 am
Posts: 41
Using Joomla 2.5.4 with K2 2.5.7
It appears that the search index entries are all "Public". This means that clever use of search phrases (or even accidental mistypes) can reveal information that the user should not have access to.

Shouldn't the index entries inherit the view access level of the indexed items?

Not sure if this is a "feature" or "bug" but it is certainly a serious data leak. Is there a way to block Joomla from indexing specific items or categories? I did not find much useful documentation on the search filtering system.


Last edited by TDZWeb on Mon May 28, 2012 12:21 pm, edited 1 time in total.

Top
 Profile  
 
mandville
PostPosted: Mon May 28, 2012 12:03 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11706
Location: The Girly Side of Joomla in Sussex
does this happen with just the core or only when k2 is used, if it happens only with k2 then its a k2 issue

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
TDZWeb
PostPosted: Mon May 28, 2012 12:16 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 24, 2011 11:20 am
Posts: 41
It happens both with core content and K2 specific items. Smart search will give you suggestions from all content, even you do not have access to it. All index entries are essentially public regardless of access level of the item in question.

Maybe I configured it wrong somewhere. I am relatively new to Joomla. However, this looks like a straight forward design flaw to me. I cannot use Smart Search on any site right now because of this.
Top
 Profile  
 
leolam
PostPosted: Mon May 28, 2012 3:39 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 12066
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
I can confirm and replicate this and have posted in the BugSquad accordingly

(example: I created an article named "credit card details with tailored special permissions (non public) , ran the indexer, turned on "suggestions" and with a smart search on "credit card" the system gives me the suggestion as result "credit card details"). I cannot access it due to the permissions but that should never be shown I agree

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---
Top
 Profile  
 
TDZWeb
PostPosted: Mon May 28, 2012 12:20 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 24, 2011 11:20 am
Posts: 41
So after following the discussion in the bug squad I suppose we can say in conclusion this will not be fixed anytime soon.

A workaround is to choose to "Hide" search suggestions in options in the Smart Search component control panel. I guess this is sort of "resolved". Should the title be updated?
Top
 Profile  
 
mandville
PostPosted: Mon May 28, 2012 6:05 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11706
Location: The Girly Side of Joomla in Sussex
Topic locked due to investigation via JBS

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 6 posts ] 


Board index » Joomla! 2.5 - Ask Support Questions Here » Security in Joomla! 2.5

Who is online

Users browsing this forum: ozziemate, Thomsterdam and 42 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group