- org admins have the inherent ability to reset passwords for all of their org's users
- this however could be abused if for some reason the host org of an instance would create org admins
- the org admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them
- the potential for abuse is very circumstancial as it requires the host org to create lower privilege org admins instead of the usual site admins
- only org admins of the same organisation as the site admin could abuse this
- as reported by Raymond Schippers
- Only site admins and sharing group editors can see organisation lists
- this includes the org index and various statistics
- Keep in mind: Sharing group editors CAN see the full organisation list - otherwise they wouldn't be able to create sharing groups.
- Also, users CAN enumerate organisations that have created ANY data on the instance by looking at the given data
- this includes events, proposals, discussion entries, etc
- rare occurance, but some MISP servers enter an upgrade loop causing massive amounts of log entries
- this patch cleans up the bug preventing further upgrade loops as well as offers a script to clean up the fallout
- removed incorrect, useless boiler plate comments
- kept useful comments intact
- added some missing line breaks to make the codebase a bit more uniform
- removed some obviously obsolete TODO comments
Similar to pull request #1121 and issue #749, the ID needs to be in group_by to solve this error in /admin/logs/search
>Error: [PDOException] SQLSTATE[42000]: Syntax error or access violation: 1055 Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'Log.id' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by
- index now shows the model that the log entry concerns
- added model to the search parameters
- this allows for searches such as new users added (Model:User - action:add)
- fixed a bug with the log search where going back to the first page of results would return you to the search form
Merge and upgrade of several new features
Conflicts:
VERSION.json
app/Controller/ShadowAttributesController.php
app/Controller/TagsController.php
app/Model/AppModel.php
app/Model/Event.php
app/Plugin/SysLogLogable/Model/Behavior/SysLogLogableBehavior.php
- Added logging of failed login attempts
- Added (optional) logging of successful authentications
- admin setting that has to be enabled
- will log all API calls (both HTTP method and target url)
- optional logging of user IP address for all logs
- each log entry created while this setting is enabled will log the IP address of the client
- disabling it also hides the IPs from the interface
- added new IP field for the log search (only if enabled)
- The log search incorrectly set the search terms for empty fields, meaning that any log entries that had unfilled columns, such as it is the case with admin_email would never return results
Golbark