Shamrez Iqbal
Oct 7, 2008
  4319
(0 votes)

Security issue? - Editors remain logged in after logging out in Episerver 5 enterprise installations

Recently, after migrating an enterprise site from v4 to v5 I discovered a potential security issue in v5.

In v4 if an enterprise site had foo.com and bar.com then foo.com/mytemp.aspx?id=100 and bar.com/mytemp.aspx?id=100 would show the same page and i suppose this also was the reason that once you were logged in to a site all site were accesible in edit-mode. The same also applied to simple addresses for pages. I.e. foo.com/foo and bar.com/foo would result in the same page being shown.

In V5 the friendly url functionality is rewritten and the “cross-domain” addresses do not work. This has an interesting consequence when working in edit-mode. Whenl logging in to edit-mode for foo.com, and clicking on the node for bar.com this pops up the login box. For some of the editors this can be a really annoying thing because of their workflow with publshing to many sites in a short time.

But the real security issue is that after logging out from the edit mode interface, the editor will remain logged in on foo.com.

I have tested this behaviour on a test site running r1 sp3.

I suppose the only fix for this at the moment is awareness of this behaviour.

Oct 07, 2008

Comments

Please login to comment.
Latest blogs
Vulnerability in EPiServer.GoogleAnalytics v3 and v4

Introduction A potential security vulnerability was detected for Optimizely Google Analytics addon (including EPiServer.GoogleAnalytics and...

Bien Nguyen | Sep 20, 2023

Overriding Optimizely’s Content Recommendations Block to Implement Custom Recommendations

Introduction The Content Recommendations add-on for Optimizely CMS dynamically recommends content from your site tailored to the interests of each...

abritt | Sep 13, 2023 | Syndicated blog

Developer contest! Install the AI Assistant and Win Bose QC45 Headphones!

We are thrilled to announce a developer contest where you have the chance to win a pair of Bose Headphones. The goal is to be the first developer t...

Luc Gosso (MVP) | Sep 7, 2023 | Syndicated blog

Send Optimizely notifications with SendGrid API, not SMTP

If your Optimizely site already sends transaction emails through an email platform API, why not do the same with Optimizely notification emails?

Stefan Holm Olsen | Sep 6, 2023 | Syndicated blog