Page 1 of 1
Bug Fixed: Security Issue - Logged in Users Can See Other Site Crew Rosters
Posted: Tue Feb 11, 2020 6:11 pm
by admin
Jason Black from the Baltic 52 JULES reported a potential security issue. He indicated he was able to view the crew rosters from other Crew Manager sites when he was logged in.
Re: Bug Fixed: Security Issue - Logged in Users Can See Other Site Crew Rosters
Posted: Tue Feb 11, 2020 6:20 pm
by admin
This was reported at 1:04 pm on 11 February. Based on a phone discussion with Jason the problem was determined to be related to how WordPress handles multi site users. An immediate security patch was developed and installed. The following describes the test results after the fix was incorporated for a user logged in.
1. Logged in users may see the crew roster and full names on any site the Skipper has added them. Some users are crew members on multiple boats and appear on multiple sites.
2. Logged in users who open another Crew Manager site will show up as "Logged in" on the other sites menu.
3. If a user attempts to view any of the following pages on another site, a message will be displayed indicating although they are logged in, they have not been added to the site by the Skipper: Roster, Availability, Assignments. Additionally any calendar events that display crew lists will only show the display name, not the full name visible to the home site for a logged in user.
4. All pop-ups show crew information similar to #3.
This security fix was incorporated with 5 hours of being reported and is on all sites effective 6pm 11 February 2020.