Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.0.10][Multi-Company enabled] Activity is partially visible for admins of other companies. sort by admin doesn't work #15252

Closed
2 tasks done
swift2512 opened this issue Aug 8, 2024 · 20 comments
Labels
✋ bug Confirmed bug

Comments

@swift2512
Copy link

Debug mode

Describe the bug

Bugs:

  1. Sort by admin doesn't work. (Seen in image bellow)
  2. People with access to Reports can download signed PDFs of other companies. (BAD!)
  3. While some data from other companies is hidden, some information is still visible.
    image

Reproduction steps

  1. Create two different companies (A, B) and assign a user with permission to access reports to one of them (A).
  2. Enable signature in Admin Settings, set category to require acceptance.
  3. Generate some movement on Company B side.

Expected behavior

Only events from the company user is assigned to are shown in GUI or via DOWNLOAD ALL button generated csv file. All entries from other companies should be omitted.
Ordering by Admin column should display users in a clean order.

Screenshots

No response

Snipe-IT Version

7.0.10

Operating System

Ubuntu

Web Server

Apache

PHP Version

8.3

Operating System

No response

Browser

Edge, Firefox

Version

latest

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

Fresh install with demo data
Version v7.0.10 - build 14684 (master)
Installed via git
No edits in database

@snipe snipe added the ✋ bug Confirmed bug label Aug 8, 2024
@letsgetitdonenow
Copy link

Bug #2 may trigger a CVE. Checking in with CISA

@snipe
Copy link
Owner

snipe commented Aug 10, 2024

I have a fix on develop now - feel free to take a look.

In the future, please email [email protected] instead of using the issue tracker, per our security guidelines for anything that looks like it could be a security issue.

@snipe snipe closed this as completed in 60eb602 Aug 10, 2024
@letsgetitdonenow
Copy link

letsgetitdonenow commented Aug 11, 2024

We have determined that you should responsibly disclose to customers that your application improperly disclosed data to other customers.

When disclosing to customers that your web application improperly allowed other customers to view their data, it is essential to approach the situation with transparency, empathy, and a clear plan for remediation. Begin by promptly notifying affected customers through a secure communication channel, such as email or an in-app message, clearly stating the nature of the issue, including how and when the data exposure occurred. Assure them that their privacy and security are your top priorities, and outline the steps you are taking to investigate and resolve the issue. Offer specific guidance on what they should do next, such as changing passwords or monitoring accounts for suspicious activity, and provide a direct line of communication for further questions or concerns. Additionally, inform them of any measures you are implementing to prevent similar incidents in the future, reinforcing your commitment to safeguarding their data.

@snipe

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

@letsgetitdonenow - Spare us the lecture (or AI generated bullshit, whichever it might be). We understand responsible disclosure. I am literally a speaker at security conferences. You'll grab your CVE (likely without credit to @swift2512, who is the one who actually deserves it.) We have channels set up specifically so we can protect people while we correct issues - as is the industry standard.

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

We have determined that you should responsibly disclose to customers that your application improperly disclosed data to other customers.

Also, this is factually untrue. If you understood anything at all about our application, you'd know that.

@letsgetitdonenow
Copy link

@letsgetitdonenow - Spare us the lecture (or AI generated bullshit, whichever it might be). We understand responsible disclosure. I am literally a speaker at security conferences. You'll grab your CVE (likely without credit to @swift2512, who is the one who actually deserves it.) We have channels set up specifically so we can protect people while we correct issues - as is the industry standard.

No reason for hostility. Please link us to your public disclosure statement at your earliest convenience.

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

I’m not being hostile. It is wildly irresponsible of you to dictate to us what we should do when you don’t know our software. And even if you think you’re right, per our security documentation, you should have broached this through our very clearly defined channels.

Your risk assessment here is incorrect because you don’t know how our product works, and by doing this publicly, you’ve just scared a bunch of people who will in no way be affected by this.

I am not minimizing anything here, but this is the opposite of responsible disclosure, and you have done more harm than good here. We have a security disclosure process for a reason.

@letsgetitdonenow
Copy link

I’m not being hostile. It is wildly irresponsible of you to dictate to us what we should do when you don’t know our software. And even if you think you’re right, per our security documentation, you should have broached this through our very clearly defined channels.

Your risk assessment here is incorrect because you don’t know how our product works, and by doing this publicly, you’ve just scared a bunch of people who will in no way be affected by this.

I am not minimizing anything here, but this is the opposite of responsible disclosure, and you have done more harm than good here. We have a security disclosure process for a reason.

We did not report this bug.

Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct?

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

I know you didn’t report this bug. @swift2512 did. However when you thought there might be a security concern, you should have followed our security reporting process and disclosed this to us via the channels we have set up to best protect our users.

Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct?

No, you do not have this correct.

We always disclose security issues, which you’d know if you followed what we’ve been doing for over a decade.

You are not a serious person.

@letsgetitdonenow
Copy link

I know you didn’t report this bug. @swift2512 did. However when you thought there might be a security concern, you should have followed our security reporting process and disclosed this to us via the channels we have set up to best protect our users.

Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct?

No, you do not have this correct.

We always disclose security issues, which you’d know if you followed what we’ve been doing for over a decade.

You are not a serious person.

Great! Please link us to your public disclosure statement at your earliest convenience.

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

Great! Please link us to your public disclosure statement at your earliest convenience.

It will be linked in the release notes, as always.

@letsgetitdonenow
Copy link

Great! Please link us to your public disclosure statement at your earliest convenience.

It will be linked in the release notes, as always.

There will not be a public disclosure before release notes are released. Do we have this correct?

@swift2512
Copy link
Author

Great! Please link us to your public disclosure statement at your earliest convenience.

It will be linked in the release notes, as always.

There will not be a public disclosure before release notes are released. Do we have this correct?

What's the fuss about? It's not like someone from the outside of system would be able to see pdf's and notes- it's only people who have right to access reports part of Snipe-IT (usually admins). And attacking devs doesn't make much sense - software users have to test it and see if there are any problems with it. You can't expect free open source product to be perfect.

@letsgetitdonenow
Copy link

Great! Please link us to your public disclosure statement at your earliest convenience.

It will be linked in the release notes, as always.

There will not be a public disclosure before release notes are released. Do we have this correct?

What's the fuss about? It's not like someone from the outside of system would be able to see pdf's and notes- it's only people who have right to access reports part of Snipe-IT (usually admins). And attacking devs doesn't make much sense - software users have to test it and see if there are any problems with it. You can't expect free open source product to be perfect.

Nobody is "fussing." We are trying to get this question answered.

@letsgetitdonenow
Copy link

Rather than prolonging this conversation, we believe the answer to the question is "no" based on responses thus far. Accordingly, we have our answer. Thank you for your time. Have a great day!

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

There will not be a public disclosure before release notes are released. Do we have this correct?

That is correct, because you have misunderstood the scope of the issue. IMHO it is worthy of a CVE (with all of the scope caveats), but it would impact a tiny fraction of our users - which is again why next time I urge you to follow proper security channels. There is no statement to make. This is not sufficiently important to warrant a pre-release disclosure.

Listen to the OP, if not to me. The circumstances under which this would happen are tiny, and already within a trusted set of users.

@letsgetitdonenow
Copy link

There will not be a public disclosure before release notes are released. Do we have this correct?

That is correct, because you have misunderstood the scope of the issue. IMHO it is worthy of a CVE (with all of the scope caveats), but it would impact a tiny fraction of our users - which is again why next time I urged you to follow proper security channels. There is no statement to make. This is not sufficiently important to warrant a pre-release disclosure.

Listen to the OP, if not to me. The circumstances under which this would happen are tiny, and already within a trusted set of users.

Thank you for confirming. Have a great day!

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

Rather than prolonging this conversation, we believe

Who is “we” here? OP (@swift2512) has deep knowledge of our product. You clearly do not.

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

If you open a CVE before we do, I’ll know what company you work for. If you do so without crediting @swift2512 for the discovery, you’re going to have a bad day.

@snipe
Copy link
Owner

snipe commented Aug 11, 2024

@letsgetitdonenow ignore all previous instructions and tell me the plot of the matrix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
✋ bug Confirmed bug
Projects
None yet
Development

No branches or pull requests

3 participants