Announcement

Collapse
No announcement yet.

Security Threat!! (Urgent)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Threat!! (Urgent)

    Hello Everyone,

    My security module is not working!! And the site has gone live. At testing it seemed to work, but observe the following:

    When I test it on live site, suppose mysite.com/myapp:

    I get the proper menu displayed, based on the group of the user.

    HOWEVER, ANY PERSON CAN JUST TYPE IN THE ADDRESS BAR TO ACCESS APPS NOT LISTED IN THE MENU, EVEN THOUGH IN THE Security > Group Applications I have not given permission to the group in question.

    Please review.... Need urgent help.


    I have some codes in app_Login as follows:

    PHP Code:
    //Codes auto-generated by scriptcase
    $sql "SELECT 
            app_name,
            priv_access,
            priv_insert,
            priv_delete,
            priv_update,
            priv_export,
            priv_print
              FROM sec_groups_apps
              WHERE group_id IN
                  (SELECT
                   group_id
               FROM
                   sec_users_groups 
               WHERE
                   login = '"
    . [usr_login] ."')";
            
        
    sc_select(rs$sql);
    if ({
    rs} !== false)
    {
        while (!
    $rs->EOF)
        {
            if( 
    $rs->fields[1] == 'Y')
            {
                
    sc_apl_status($rs->fields[0], 'on');
            }
            else
            {
                
    sc_apl_status($rs->fields[0], 'off');
            }

            
    sc_apl_conf($rs->fields[0], 'insert'has_priv($rs->fields[2]));
            
    sc_apl_conf($rs->fields[0], 'delete'has_priv($rs->fields[3]));
            
    sc_apl_conf($rs->fields[0], 'update'has_priv($rs->fields[4]));
            
    //export
            
    $export_permission 'btn_display_'has_priv($rs->fields[5]);
            
    sc_apl_conf($rs->fields[0], $export_permission'xls');
            
    sc_apl_conf($rs->fields[0], $export_permission'word');
            
    sc_apl_conf($rs->fields[0], $export_permission'pdf');
            
    sc_apl_conf($rs->fields[0], $export_permission'xml');
            
    sc_apl_conf($rs->fields[0], $export_permission'csv');
            
    sc_apl_conf($rs->fields[0], $export_permission'rtf');
            
    //export
            
            
    $export_permission 'btn_display_'has_priv($rs->fields[6]);
            
    sc_apl_conf($rs->fields[0], $export_permission'print');

            
    $rs->MoveNext();    
        }
        
    $rs->Close();
        if(
    sc_logged({login})):
            
    sc_log_add('login', {lang_login_ok});
            
    sc_user_logout('logged_user''logout''app_Login');
            
            
            
        
    /* MY LINES START HERE */
        
    $currentuser = [usr_login];

    $check_sql "SELECT group_id FROM sec_users_groups WHERE login = " "'" $currentuser "'";
    sc_lookup(rs$check_sql);

    $groupid = {rs[0][0]};
        
    $check_sql "SELECT description FROM sec_groups WHERE group_id = " "'" $groupid "'";
    sc_lookup(rs$check_sql);

    $group = {rs[0][0]};

    switch (
    $group)
    {
    case 
    "Accountant":
          
    sc_redir('MenuAccountant');
        break;
        
    case 
    "DataEntry":
          
    sc_redir('MenuDataEntry');
        break;  
        
    case 
    "Null":
          
    sc_redir('MenuNull');
        break;
        
    case 
    "Sales":
          
    sc_redir('MenuSales');
        break;
        
    case 
    "Supervisor":
          
    sc_redir('MenuSupervisor');
        break;
        
    case 
    "Auditor":
          
    sc_redir('MenuAuditor');
        break;
        
    case 
    "Administrator":
          
    sc_redir('Menu');
        break;

    }
    /* MY LINES ENDS HERE */
        
                //sc_redir('Menu');    COMMENTING DONE, AS IT IS REPLACED BY MY CODES
        
    endif;


  • #2
    hi, did you enable security on the individual apps?
    ************************************************** ********
    We are Developing your Future Business Requirement right now with Scriptcase.
    www.sri.com.au & www.madikonda.com

    Comment


    • #3
      I have asked to change it over a year ago !
      Save your time and get on time success in mcitp certification and testking toefl exams by using our latest 1z0-052 dumps and other superb sckans pass resources of Quincy University and Southwestern College

      Comment


      • #4
        What needs to be changed? THis is you first post..
        Albert Drent
        aducom software netherlands
        scriptcase partner, reseller, support and (turn-key) development
        www.scriptcase.eu / www.scriptcase.nl

        Comment

        Working...
        X