You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(security): Add missing authorization checks to DWR endpoints (dotCMS#33676)
## 🔒 Security Fix: DWR Authorization Bypass
This PR addresses a **critical security vulnerability** reported in
[private-issues#482](dotCMS/private-issues#482)
where DWR (Direct Web Remoting) endpoints lacked proper authorization
validation.
### 🚨 Vulnerability Summary
Users with minimal backend access (System → Back-end user role) could
call privileged API endpoints that should be restricted to
administrators, leading to:
- **Privilege escalation** via `saveRolePermission`
- **Information disclosure** of users, roles, and permissions
- **System information leakage** via thread monitoring
### 📋 Affected Endpoints Fixed
| Endpoint | Severity | Issue |
|----------|----------|-------|
| `RoleAjax.saveRolePermission` | **CRITICAL** | No authorization check
- allows privilege escalation |
| `RoleAjax.getRolePermissions` | HIGH | Only authenticated, not
authorized |
| `RoleAjax.getRole` | HIGH | No validation at all |
| `RoleAjax.getUserRole` | HIGH | No validation at all |
| `RoleAjax.getCurrentCascadePermissionsJobs` | HIGH | No validation at
all |
| `RoleAjax.isPermissionableInheriting` | HIGH | Only authenticated, not
authorized |
| `UserAjax.getUsersList` | HIGH | Only authenticated, not authorized |
| `ThreadMonitorTool.getThreads` | MEDIUM | Never calls its own
`validateUser()` method |
### ✅ Changes Made
#### RoleAjax.java (6 methods)
Added `validateRolesPortletPermissions(getLoggedInUser())` to:
- `saveRolePermission()` - prevents privilege escalation
- `getRolePermissions()` - prevents permission enumeration
- `getRole()` - prevents role information disclosure
- `getUserRole()` - prevents user role disclosure
- `getCurrentCascadePermissionsJobs()` - prevents job enumeration
- `isPermissionableInheriting()` - prevents permission inheritance
disclosure
#### UserAjax.java (1 method)
Changed `getUsersList()` from:
```java
getLoggedInUser(); // Only checks authentication
```
To:
```java
validateUsersPortletPermissions(getLoggedInUser()); // Checks authorization
```
#### ThreadMonitorTool.java (1 method)
Added validation call to `getThreads()`:
```java
if (!validateUser()) {
throw new DotRuntimeException("User does not have access to the CMS Maintenance Portlet");
}
```
### 🔍 Security Pattern Used
All fixes follow the existing security pattern established in protected
methods like `RoleAjax.removeUsersFromRole()` and `UserAjax.addUser()`.
**Validation methods from `DwrUtil.java`:**
- `validateRolesPortletPermissions(User)` - Validates access to Roles
portlet
- `validateUsersPortletPermissions(User)` - Validates access to Users
portlet
- `validateUser()` - Validates access to Maintenance portlet
(ThreadMonitorTool)
### 🧪 Testing Recommendations
Before this fix:
```bash
# Unprivileged user with JSESSIONID could call:
curl -X POST http://localhost:8080/dwr/call/plaincall/UserAjax.getUsersList.dwr \
-H "Cookie: JSESSIONID=<unprivileged_session>" \
--data-raw "..."
# Returns: List of all users ❌
```
After this fix:
```bash
# Same request now returns:
# DotSecurityException: "User does not have access to the [roles/users] Portlet" ✅
```
**Test cases to verify:**
1. Unprivileged user (System → Back-end only) **cannot** call any of the
8 fixed endpoints
2. Admin user (System → Administrator) **can** call all endpoints
3. User with user admin permissions **can** call user-related endpoints
4. User with role admin permissions **can** call role-related endpoints
### 📊 Impact
- **Before:** Any backend user could escalate privileges and enumerate
system data
- **After:** Only users with proper admin permissions can access these
endpoints
### 📚 Related Issues
- Fixes: dotCMS/private-issues#482
- Historical context: dotCMS#3031 (DWR general lockdown - 2013)
- Related migration: dotCMS#22524 (Permissions migration from DWR to REST -
2022)
### 🔐 Security Considerations
This is a **critical security fix** that should be:
- **Backported** to all supported LTS versions
- **Deployed immediately** to affected systems
- **Documented** in the security advisory after deployment
---
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude <[email protected]>
0 commit comments