Bug Fixed: Security Issue - Logged in Users Can See Other Site Crew Rosters

If you find a bug, please report it in this forum.
Post Reply
User avatar
admin
Site Admin
Posts: 302
Joined: Fri Dec 28, 2018 11:51 am
Location: Portsmouth, RI
Contact:

Bug Fixed: Security Issue - Logged in Users Can See Other Site Crew Rosters

Post by admin »

Jason Black from the Baltic 52 JULES reported a potential security issue. He indicated he was able to view the crew rosters from other Crew Manager sites when he was logged in.
Crew Manager Administrator
Image
User avatar
admin
Site Admin
Posts: 302
Joined: Fri Dec 28, 2018 11:51 am
Location: Portsmouth, RI
Contact:

Re: Bug Fixed: Security Issue - Logged in Users Can See Other Site Crew Rosters

Post by admin »

This was reported at 1:04 pm on 11 February. Based on a phone discussion with Jason the problem was determined to be related to how WordPress handles multi site users. An immediate security patch was developed and installed. The following describes the test results after the fix was incorporated for a user logged in.
1. Logged in users may see the crew roster and full names on any site the Skipper has added them. Some users are crew members on multiple boats and appear on multiple sites.
2. Logged in users who open another Crew Manager site will show up as "Logged in" on the other sites menu.
3. If a user attempts to view any of the following pages on another site, a message will be displayed indicating although they are logged in, they have not been added to the site by the Skipper: Roster, Availability, Assignments. Additionally any calendar events that display crew lists will only show the display name, not the full name visible to the home site for a logged in user.
4. All pop-ups show crew information similar to #3.

This security fix was incorporated with 5 hours of being reported and is on all sites effective 6pm 11 February 2020.
Crew Manager Administrator
Image
Post Reply