tracker issue : CF-4199255

select a category, or use search below
(searches all categories and all time range)
Title:

Using "allowed ip addresses" to "block admin" access still shows login page to any IP

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Charlie Arehart / Charlie Arehart ()

Created: 07/25/2017

Components: Administrator, Security

Versions: 2016,11.0

Failure Type: Incorrectly functioning

Found In Build/Fixed In Build: all versions / 308693

Priority/Frequency: Normal / Some users will encounter

Locale/System: / Win 2012 Server x64

Vote Count: 1

Problem Description:

In CF10 or 11, the security>allowed IP addresses page was modified to allow protection of the CF Admin to be accessible only to any indicated IP address.

The problem is that while this prevents anyone successfully *logging in* unless they are coming from one of the listed IP Addresses, it does NOT limit DISPLAY OF THE LOGIN PAGE to only those IPs.

Why not?

And the problem is that many think the feature is not working when they enable it, or worse, security scanners check to see simply if the login page appears, and it does, so many folks fail security scans because of this problem.

Please just make it so that if this feature is enabled, the mere display of the login page is also prevented.

And while CF2016 does indeed limit access to the CF admin by requiring use of the internal web server, that does not change the value of the suggestion above. Someone could be accessing the Admin via the internal web server via an address other than those listed (such as non-admin folks within an organization's intranet.

Attachments:

Comments:

Thanks to whoever at Adobe just marked it as bugverified. I'm a bit bummed not to see any change here of whether or when it may be due to be fixed. It's pretty important, and since it's security-related I would think that would raise the priority/urgency (though not "critical", since the mechanism is indeed protecting folks, just not as obviously as it could). Also, can someone from Adobe change the title here from my mistaken "up addresses" to my intended "ip addresses"? Sure, it's obvious once one reads the description, but when viewed in a list (or other reference to it), the mistake could lead readers to dismiss it as not relevant to any concern of theirs. I don't see any way for me to edit it myself. Thanks.
Comment by Charlie A.
487 | September 20, 2017 02:17:10 PM GMT