Very glad to hear that!
Do you think that you could upload changed files here as you usually do when preparing fixes? It would be much appreciated and believe that not only by me!
Search found 60 matches
- 18 Mar 2021, 00:49
- Forum: Bug Report version 2.8
- Topic: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
- Replies: 14
- Views: 1291
- 18 Mar 2021, 00:45
- Forum: Suggestions
- Topic: Display Fields Rules - hide the whole tab
- Replies: 1
- Views: 321
Display Fields Rules - hide the whole tab
It is great that you can hide fields using Display Fields Rules (https://docs.rukovoditel.net/index.php?p=112).
And it would even greater if it was possible to hide tabs. Or alternatively, if the tab would hide automatically in case all fields in the tab were hidden.
And it would even greater if it was possible to hide tabs. Or alternatively, if the tab would hide automatically in case all fields in the tab were hidden.
- 18 Mar 2021, 00:25
- Forum: Bug Report version 2.8
- Topic: Nested forms - checkboxes, dropdown with multiselect
- Replies: 3
- Views: 1611
Nested forms - checkboxes, dropdown with multiselect
When adding or editing fields of subentity in nested form the values in checkboxes and dropdown with multi-select are not saved. I have created a video showing the problem: here In my example on the video the fields in nested forms are: employee - field type entity - dropdown - works correctly roles...
- 16 Mar 2021, 22:19
- Forum: Bug Report version 2.8
- Topic: Change history (extension) - missing record of copying of selected (actions with selected)
- Replies: 3
- Views: 1652
Change history (extension) - missing record of copying of selected (actions with selected)
I am trying Rukovoditel's extension demo and noticed that if I copy selected records (actions with selected) this change does not appear in the change history.
- 16 Mar 2021, 16:48
- Forum: Bug Report version 2.8
- Topic: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
- Replies: 14
- Views: 1291
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
I don't agree with that. Too many IF. 1) If you download hack file 2) If you run it. 3) if you logged 4) if you have access then it can run some actions. The only thing you really need to hack any Rukovoditel is to know the URL. For 1+2 it is enough to just open a link with malicious code in the br...
- 16 Mar 2021, 16:26
- Forum: Bug Report version 2.7
- Topic: Rukovoditel 2.7.2 Clickjacking Vulnerability
- Replies: 3
- Views: 1886
Re: Rukovoditel 2.7.2 Clickjacking Vulnerability
@support Is there a way to allows users to use WYSIWYG textarea and at the same disable iframe?
- 16 Mar 2021, 15:06
- Forum: Bug Report version 2.8
- Topic: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
- Replies: 12
- Views: 8059
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
Well, I have briefly checked codes of some modules and there is function app_check_form_token() to protect some actions against csrf. The problem is that it is used only somewhere but surely not everywhere. Even after the fix uploaded by support to the other thread, there are a lot of forms and acti...
- 16 Mar 2021, 14:56
- Forum: Bug Report version 2.8
- Topic: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
- Replies: 14
- Views: 1291
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
@support Thanks for preparing the fix, it seems that this exact vulnerability is fixed by it. But I think there are other forms still highly vulnerable by this exact technique. You use function app_check_form_token() to protect action from being abused by csrf. Bu only some actions are protected, ot...
- 13 Mar 2021, 03:50
- Forum: Bug Report version 2.8
- Topic: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
- Replies: 14
- Views: 1291
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker change admin password
My comment from https://forum.rukovoditel.net/viewtopic.php?f=19&t=2760 applies also here. Another probable critical security bug. Sergei, it seems to me that you might not be familiar with the concept of CSRF attack. This looks like a HUGE problem as it seems that the whole app is maybe not pro...
- 13 Mar 2021, 03:44
- Forum: Bug Report version 2.8
- Topic: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
- Replies: 12
- Views: 8059
Re: CSRF vulnerability on Rukovoditel 2.8.3 Hacker can add new user with admin privilege
This looks like a critical security bug requiring an immediate patch. Typical basic CSRF vulnerability. It does not matter that attacker is not logged in, the problem is that attacker can easily achieve that the script is activated by a logged-in user, e.g. by sending the admin a link to a malicious...