User with basic access is able to access Team Staff and Team Detail page of any investment by tampering the URL

Document ID : KB000018538
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Any type of investment, projects or other non-project investment objects (NPIOs) have a potential to expose sensitive data if the end-user tampers with the URL, exposing the Team Staff and Team Detail pages on the investment.

Steps to Reproduce:

  1. Log in to the application as a user having admin rights (any user having most of the project related rights)
  2. Navigate to any project and then the team staff page and team detail page
  3. Please note down the application URL for the staff and detail page
  4. The URLs would be something like the mentioned below :

    http://< server >/niku/nu#action:projmgr.teamList&id=< project_id >&view_code=projectTeamStaff
    http://< server >/niku/nu#action:projmgr.teamList&id=< project_id >&view_code=projectTeamDetail
  5. Create a new user with bare minimum rights
  6. Now login using the new user
  7. Hit the URLs copied earlier

Expected Result: User should not have access to these pages and Usual error text: "Error 401 - Unauthorized. You are not authorized to view the page. If you are sure you have access, try logging in again or contact your system administrator should be displayed

Actual Result: An Alert is displayed but all the details related to staffing also displayed.

  

Solution:

WORKAROUND:

None.

STATUS/RESOLUTION:

CLRT-74665
Resolved in Clarity 13.2 Generic Patch. Reference TEC599354
Resolved in Clarity 13.3 Generic Patch. Reference TEC605767
Resolved in CA PPM 14.1