You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@openmeetings.apache.org by Andre Wruszczak <wr...@web.de> on 2016/07/23 01:02:10 UTC

Private Recordings accesible to all Users!

Dear Openmeetings-Dev-Team,

 

I have yet another question.

 

Is it possible to force userid validation for recordings? 
Maybe because my browser is storing my sessionID, but when I switch users,
all of them can see the recordings of other people if they try the url  :
http://localhost:5080/openmeetings/recordings/mp4/47
->Anyone logged in can get access to all recordings if they are tenacious
enough to try all the numbers.

 

Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)

 

With lots of regards,

Andre

AW: Private Recordings accesible to all Users!

Posted by Andre Wruszczak <wr...@web.de>.

Thanks for the replies!
I did, checked with another Browser / without cookies / incognito word / without cache.
I am pretty sure it just checks if there is a valid ssid (user = logged in) and nothing beyond that.

Is the user who records a video actually stored somewhere with the video? (Backend wise?)

With lots of regards

Andre Wruszczak

 

 

Von: seba.wagner@gmail.com [mailto:seba.wagner@gmail.com] 
Gesendet: Monday, July 25, 2016 5:18 AM
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Private Recordings accesible to all Users!

 

Yeah to really test it you should use another browser where you are not logged in. Otherwise you might use your Cookie session id implicitly.

 

Thanks

Seb

 

2016-07-25 14:43 GMT+12:00 Maxim Solodovnik <solomax666@gmail.com <ma...@gmail.com> >:

Hello Andre,

 

actually permissions are being checked [1]

I'll double-check this today (I hope I'll have enough time)

 

[1] https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86

 

On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wruszczak@web.de <ma...@web.de> > wrote:

Dear Openmeetings-Dev-Team,

 

I have yet another question.

 

Is it possible to force userid validation for recordings? 
Maybe because my browser is storing my sessionID, but when I switch users, all of them can see the recordings of other people if they try the url  :
http://localhost:5080/openmeetings/recordings/mp4/47
->Anyone logged in can get access to all recordings if they are tenacious enough to try all the numbers.

 

Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)

 

With lots of regards,

Andre





 

-- 

WBR
Maxim aka solomax





 

-- 

Sebastian Wagner
 <https://twitter.com/#%21/dead_lock> https://twitter.com/#!/dead_lock
 <ma...@gmail.com> seba.wagner@gmail.com

Re: Private Recordings accesible to all Users!

Posted by "seba.wagner@gmail.com" <se...@gmail.com>.

Yeah to really test it you should use another browser where you are not
logged in. Otherwise you might use your Cookie session id implicitly.

Thanks
Seb

2016-07-25 14:43 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:

> Hello Andre,
>
> actually permissions are being checked [1]
> I'll double-check this today (I hope I'll have enough time)
>
> [1]
> https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86
>
> On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wr...@web.de> wrote:
>
>> Dear Openmeetings-Dev-Team,
>>
>>
>>
>> I have yet another question.
>>
>>
>>
>> Is it possible to force userid validation for recordings?
>> Maybe because my browser is storing my sessionID, but when I switch
>> users, all of them can see the recordings of other people if they try the
>> url  :
>> http://localhost:5080/openmeetings/recordings/mp4/47
>> ->Anyone logged in can get access to all recordings if they are tenacious
>> enough to try all the numbers.
>>
>>
>>
>> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)
>>
>>
>>
>> With lots of regards,
>>
>> Andre
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>



-- 
Sebastian Wagner
https://twitter.com/#!/dead_lock
seba.wagner@gmail.com

Re: Private Recordings accesible to all Users!

Posted by Maxim Solodovnik <so...@gmail.com>.

According to this [1] check only logged in users are able to get recordings
(user session can be logged is via secureHash or user/password or LDAP etc.)
This [2] check was rewritten not to allow access to someone else recordings

Would appreciate any additional testing on this
demo will be updated as soon as new SNAPSHOT will be ready

[1]
https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L125
[2]
https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L89

On Tue, Jul 26, 2016 at 12:50 PM, seba.wagner@gmail.com <
seba.wagner@gmail.com> wrote:

> Are you really sure the recording is private?
>
> Cause only if it has an owner + is private it will validate it. If it's
> public, then you just need a valid login session token.
>
> But seems like you can also access it even without a valid session token ?
>
> Thanks,
> Sebastian
>
> 2016-07-26 17:25 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:
>
>> https://issues.apache.org/jira/browse/OPENMEETINGS-1438
>>
>> On Tue, Jul 26, 2016 at 12:00 PM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>>
>>> Seems to be reproducible :((((
>>> I'm going to investigate/fix it ASAP, additionally 3.1.2 release will be
>>> postponed to have this fix
>>> Could you please create JIRA issue?
>>>
>>> On Mon, Jul 25, 2016 at 6:48 PM, Andre Wruszczak <wr...@web.de>
>>> wrote:
>>>
>>>> Ah! Thanks for the source-link.
>>>>
>>>> Maybe the OwnerId or GroupId is always null?
>>>>
>>>> Hmm..
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
>>>> *Gesendet:* Monday, July 25, 2016 4:44 AM
>>>> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
>>>> *Betreff:* Re: Private Recordings accesible to all Users!
>>>>
>>>>
>>>>
>>>> Hello Andre,
>>>>
>>>>
>>>>
>>>> actually permissions are being checked [1]
>>>>
>>>> I'll double-check this today (I hope I'll have enough time)
>>>>
>>>>
>>>>
>>>> [1]
>>>> https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86
>>>>
>>>>
>>>>
>>>> On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wr...@web.de>
>>>> wrote:
>>>>
>>>> Dear Openmeetings-Dev-Team,
>>>>
>>>>
>>>>
>>>> I have yet another question.
>>>>
>>>>
>>>>
>>>> Is it possible to force userid validation for recordings?
>>>> Maybe because my browser is storing my sessionID, but when I switch
>>>> users, all of them can see the recordings of other people if they try the
>>>> url  :
>>>> http://localhost:5080/openmeetings/recordings/mp4/47
>>>> ->Anyone logged in can get access to all recordings if they are
>>>> tenacious enough to try all the numbers.
>>>>
>>>>
>>>>
>>>> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)
>>>>
>>>>
>>>>
>>>> With lots of regards,
>>>>
>>>> Andre
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> WBR
>>>> Maxim aka solomax
>>>>
>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
>
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> seba.wagner@gmail.com
>



-- 
WBR
Maxim aka solomax

Re: Private Recordings accesible to all Users!

Posted by "seba.wagner@gmail.com" <se...@gmail.com>.

Are you really sure the recording is private?

Cause only if it has an owner + is private it will validate it. If it's
public, then you just need a valid login session token.

But seems like you can also access it even without a valid session token ?

Thanks,
Sebastian

2016-07-26 17:25 GMT+12:00 Maxim Solodovnik <so...@gmail.com>:

> https://issues.apache.org/jira/browse/OPENMEETINGS-1438
>
> On Tue, Jul 26, 2016 at 12:00 PM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>> Seems to be reproducible :((((
>> I'm going to investigate/fix it ASAP, additionally 3.1.2 release will be
>> postponed to have this fix
>> Could you please create JIRA issue?
>>
>> On Mon, Jul 25, 2016 at 6:48 PM, Andre Wruszczak <wr...@web.de>
>> wrote:
>>
>>> Ah! Thanks for the source-link.
>>>
>>> Maybe the OwnerId or GroupId is always null?
>>>
>>> Hmm..
>>>
>>>
>>>
>>>
>>>
>>> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
>>> *Gesendet:* Monday, July 25, 2016 4:44 AM
>>> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
>>> *Betreff:* Re: Private Recordings accesible to all Users!
>>>
>>>
>>>
>>> Hello Andre,
>>>
>>>
>>>
>>> actually permissions are being checked [1]
>>>
>>> I'll double-check this today (I hope I'll have enough time)
>>>
>>>
>>>
>>> [1]
>>> https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86
>>>
>>>
>>>
>>> On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wr...@web.de>
>>> wrote:
>>>
>>> Dear Openmeetings-Dev-Team,
>>>
>>>
>>>
>>> I have yet another question.
>>>
>>>
>>>
>>> Is it possible to force userid validation for recordings?
>>> Maybe because my browser is storing my sessionID, but when I switch
>>> users, all of them can see the recordings of other people if they try the
>>> url  :
>>> http://localhost:5080/openmeetings/recordings/mp4/47
>>> ->Anyone logged in can get access to all recordings if they are
>>> tenacious enough to try all the numbers.
>>>
>>>
>>>
>>> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)
>>>
>>>
>>>
>>> With lots of regards,
>>>
>>> Andre
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> WBR
>>> Maxim aka solomax
>>>
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>



-- 
Sebastian Wagner
https://twitter.com/#!/dead_lock
seba.wagner@gmail.com

Re: Private Recordings accesible to all Users!

Posted by Maxim Solodovnik <so...@gmail.com>.

https://issues.apache.org/jira/browse/OPENMEETINGS-1438

On Tue, Jul 26, 2016 at 12:00 PM, Maxim Solodovnik <so...@gmail.com>
wrote:

> Seems to be reproducible :((((
> I'm going to investigate/fix it ASAP, additionally 3.1.2 release will be
> postponed to have this fix
> Could you please create JIRA issue?
>
> On Mon, Jul 25, 2016 at 6:48 PM, Andre Wruszczak <wr...@web.de> wrote:
>
>> Ah! Thanks for the source-link.
>>
>> Maybe the OwnerId or GroupId is always null?
>>
>> Hmm..
>>
>>
>>
>>
>>
>> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
>> *Gesendet:* Monday, July 25, 2016 4:44 AM
>> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
>> *Betreff:* Re: Private Recordings accesible to all Users!
>>
>>
>>
>> Hello Andre,
>>
>>
>>
>> actually permissions are being checked [1]
>>
>> I'll double-check this today (I hope I'll have enough time)
>>
>>
>>
>> [1]
>> https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86
>>
>>
>>
>> On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wr...@web.de>
>> wrote:
>>
>> Dear Openmeetings-Dev-Team,
>>
>>
>>
>> I have yet another question.
>>
>>
>>
>> Is it possible to force userid validation for recordings?
>> Maybe because my browser is storing my sessionID, but when I switch
>> users, all of them can see the recordings of other people if they try the
>> url  :
>> http://localhost:5080/openmeetings/recordings/mp4/47
>> ->Anyone logged in can get access to all recordings if they are tenacious
>> enough to try all the numbers.
>>
>>
>>
>> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)
>>
>>
>>
>> With lots of regards,
>>
>> Andre
>>
>>
>>
>>
>>
>> --
>>
>> WBR
>> Maxim aka solomax
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>



-- 
WBR
Maxim aka solomax

Re: Private Recordings accesible to all Users!

Posted by Maxim Solodovnik <so...@gmail.com>.

Seems to be reproducible :((((
I'm going to investigate/fix it ASAP, additionally 3.1.2 release will be
postponed to have this fix
Could you please create JIRA issue?

On Mon, Jul 25, 2016 at 6:48 PM, Andre Wruszczak <wr...@web.de> wrote:

> Ah! Thanks for the source-link.
>
> Maybe the OwnerId or GroupId is always null?
>
> Hmm..
>
>
>
>
>
> *Von:* Maxim Solodovnik [mailto:solomax666@gmail.com]
> *Gesendet:* Monday, July 25, 2016 4:44 AM
> *An:* Openmeetings user-list <us...@openmeetings.apache.org>
> *Betreff:* Re: Private Recordings accesible to all Users!
>
>
>
> Hello Andre,
>
>
>
> actually permissions are being checked [1]
>
> I'll double-check this today (I hope I'll have enough time)
>
>
>
> [1]
> https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86
>
>
>
> On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wr...@web.de> wrote:
>
> Dear Openmeetings-Dev-Team,
>
>
>
> I have yet another question.
>
>
>
> Is it possible to force userid validation for recordings?
> Maybe because my browser is storing my sessionID, but when I switch users,
> all of them can see the recordings of other people if they try the url  :
> http://localhost:5080/openmeetings/recordings/mp4/47
> ->Anyone logged in can get access to all recordings if they are tenacious
> enough to try all the numbers.
>
>
>
> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)
>
>
>
> With lots of regards,
>
> Andre
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>



-- 
WBR
Maxim aka solomax

AW: Private Recordings accesible to all Users!

Posted by Andre Wruszczak <wr...@web.de>.

Ah! Thanks for the source-link.

Maybe the OwnerId or GroupId is always null?

Hmm..

 

 

Von: Maxim Solodovnik [mailto:solomax666@gmail.com] 
Gesendet: Monday, July 25, 2016 4:44 AM
An: Openmeetings user-list <us...@openmeetings.apache.org>
Betreff: Re: Private Recordings accesible to all Users!

 

Hello Andre,

 

actually permissions are being checked [1]

I'll double-check this today (I hope I'll have enough time)

 

[1] https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86

 

On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wruszczak@web.de <ma...@web.de> > wrote:

Dear Openmeetings-Dev-Team,

 

I have yet another question.

 

Is it possible to force userid validation for recordings? 
Maybe because my browser is storing my sessionID, but when I switch users, all of them can see the recordings of other people if they try the url  :
http://localhost:5080/openmeetings/recordings/mp4/47
->Anyone logged in can get access to all recordings if they are tenacious enough to try all the numbers.

 

Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)

 

With lots of regards,

Andre





 

-- 

WBR
Maxim aka solomax

Re: Private Recordings accesible to all Users!

Posted by Maxim Solodovnik <so...@gmail.com>.

Hello Andre,

actually permissions are being checked [1]
I'll double-check this today (I hope I'll have enough time)

[1]
https://github.com/apache/openmeetings/blob/3.1.x/openmeetings-web/src/main/java/org/apache/openmeetings/web/util/RecordingResourceReference.java#L86

On Sat, Jul 23, 2016 at 8:02 AM, Andre Wruszczak <wr...@web.de> wrote:

> Dear Openmeetings-Dev-Team,
>
>
>
> I have yet another question.
>
>
>
> Is it possible to force userid validation for recordings?
> Maybe because my browser is storing my sessionID, but when I switch users,
> all of them can see the recordings of other people if they try the url  :
> http://localhost:5080/openmeetings/recordings/mp4/47
> ->Anyone logged in can get access to all recordings if they are tenacious
> enough to try all the numbers.
>
>
>
> Maybe I have made a mistake while setting up OM? (Current Version 3.1.1)
>
>
>
> With lots of regards,
>
> Andre
>



-- 
WBR
Maxim aka solomax