Security issues // Pages publicly accessible

Some things really scare me: I was checking my sitemap.xml file as an unauthenticated user and I found I could reach some default pages which I didn’t think I could. However couldn’t find any role/permission setting to disable and/or restrict access. It looks to be like an issue, and I could access pages of users in this community who’s website I could easily recognize as ERPNext instances. Some pages even returned me some error logs, revealing files and folder structure which I don’t think is a good idea showing.

But mostly, it’s having access to some portal pages where access should not be allowed at all for anything related to portal, no matter how secure/insecure. Being able to access the demo page and stuff… I don’t think it should be possible.

I thought these guys might have some poor configured servers, but that happens on your demo site, no matter if I’m logged or not (well, all but the demo thing… I do think it’s working for a reason there :slight_smile: Here are some accessible uri which returned me some unwanted feedback:

cart_terms => returns error log
complete_signup => returns invalid api call
product_search => returns list of products and I can access them
task_info => returns uncaught server exception log
timelog_info => returns uncaught server exception log
order => returns uncaught server exception log

I think there should be a lot more control over pages and routes and maybe it’s just ignorance by my side. Can anybody point me to where I can effectively restrict access to what I explicitly make available publicly?


I am seeing similar issues.

  1. First, I looked at the DocType which has Web View enabled, but Allow Guest to View disabled.

  2. Looking at Newsletters while logged in, I can see the Newsletters (the ones that are published).

  3. After logging out, the published Newsletters are gone.

  4. However, going to the actual pages under the Newsletter http path, one can still view them. Note: I have tried on another browser and refreshing the cache etc.

I agree with @imapirate. This is a security bug.

Thank you.



1 Like