Closed bulgin closed 5 years ago
Can you link the code you are talking about?
When I turn off that plugin, the issue goes away.
Might be a false alarm: only happens when also logged in as administrator. What do you think?
I thought you are talking about a specific source code of this plugin.
This plugin sends email, first and last name to Mautic when logged in to the Joomla frontend:
https://github.com/mautic/mautic-joomla/blob/master/mautic.php#L84
I don't see anything about role.
The following is what is revealed in the "show source" of a webpage with the mautic script in place. It shows "super user" along with the email address associated with that super user. As noted, this does not show up unless I, as administrator of the site with the mautic code on the site's webpages, am logged into joomla as admin on the backend. I understand that it's a bit hit-and-miss with someone scanning web pages for vulnerabilities, but the code does reveal some sensitive information whenever the admin is logged into the site. And as you know, there are robots out there doing this kind of thing.
If robots can log in to your website as yourself then you don't have to worry about them reading the email address of the user they logged into as in the first place. The robot knows it already.
Maybe you wrote this issue thinking that the robots can see what you can see when you are logged in. Well, then the concept of logging in is in trouble. It would mean that when you log in to your bank website the robots can download the source code of the website you are looking at and read all your financial transactions.
It's really not about "logging in" as me. It's about disclosure of information that (should) would otherwise be protected in regards to information about the administrator of a site. I'm aware that robots cannot see what I'm seeing. I'm concerned that the robots can gather information about the administrator to otherwise compromise a system. That's pretty basic security 101 and this information should not be easily revealed via a script. That's all.
So the data of the logged in user is visible to the logged in user? That seems like the concept of a login to me. It is only revealing the information to you, as a logged in user. It's not like that whenever you are logged in everyone can suddenly see your email address.
I'm glad you understand that robots cannot see the admin email. The script sends this information to your Mautic which is in your hands I suppose. Use SSL and you should be fine. Or maybe I don't understand what the problem is.
This is NOT an issue. Further testing reveals that the user logged into the admin panel and their credentials such as user name, user email and role (and only those items) are revealed to the same user on the same network and not passed through to any other person accessing the website outside of the admin's network and work station.
Looking at the source code of each pay reveals this script showing the admin email address and roles. Is this normal?