Try our conversational search powered by Generative AI!

Shamrez Iqbal
Oct 7, 2008
  4478
(0 votes)

Security issue? - Editors remain logged in after logging out in Episerver 5 enterprise installations

Recently, after migrating an enterprise site from v4 to v5 I discovered a potential security issue in v5.

In v4 if an enterprise site had foo.com and bar.com then foo.com/mytemp.aspx?id=100 and bar.com/mytemp.aspx?id=100 would show the same page and i suppose this also was the reason that once you were logged in to a site all site were accesible in edit-mode. The same also applied to simple addresses for pages. I.e. foo.com/foo and bar.com/foo would result in the same page being shown.

In V5 the friendly url functionality is rewritten and the “cross-domain” addresses do not work. This has an interesting consequence when working in edit-mode. Whenl logging in to edit-mode for foo.com, and clicking on the node for bar.com this pops up the login box. For some of the editors this can be a really annoying thing because of their workflow with publshing to many sites in a short time.

But the real security issue is that after logging out from the edit mode interface, the editor will remain logged in on foo.com.

I have tested this behaviour on a test site running r1 sp3.

I suppose the only fix for this at the moment is awareness of this behaviour.

Oct 07, 2008

Comments

Please login to comment.
Latest blogs
Create your first demo site with Optimizely SaaS/Visual Builder

Hello everyone, We are very excited about the launch of our SaaS CMS and the new Visual Builder that comes with it. Since it is the first time you'...

Patrick Lam | Jul 11, 2024

Integrate a CMP workflow step with CMS

As you might know Optimizely has an integration where you can create and edit pages in the CMS directly from the CMP. One of the benefits of this i...

Marcus Hoffmann | Jul 10, 2024

GetNextSegment with empty Remaining causing fuzzes

Optimizely CMS offers you to create partial routers. This concept allows you display content differently depending on the routed content in the URL...

David Drouin-Prince | Jul 8, 2024 | Syndicated blog

Product Listing Page - using Graph

Optimizely Graph makes it possible to query your data in an advanced way, by using GraphQL. Querying data, using facets and search phrases, is very...

Jonas Bergqvist | Jul 5, 2024