Title:
Using "allowed ip addresses" to "block admin" access still shows login page to any IP
| View in TrackerStatus/Resolution/Reason: Closed/Fixed/Fixed
Reporter/Name(from Bugbase): Charlie Arehart / Charlie Arehart ()
Created: 07/25/2017
Components: Administrator, Security
Versions: 2016,11.0
Failure Type: Incorrectly functioning
Found In Build/Fixed In Build: all versions / 308693
Priority/Frequency: Normal / Some users will encounter
Locale/System: / Win 2012 Server x64
Vote Count: 1
Problem Description:
In CF10 or 11, the security>allowed IP addresses page was modified to allow protection of the CF Admin to be accessible only to any indicated IP address.
The problem is that while this prevents anyone successfully *logging in* unless they are coming from one of the listed IP Addresses, it does NOT limit DISPLAY OF THE LOGIN PAGE to only those IPs.
Why not?
And the problem is that many think the feature is not working when they enable it, or worse, security scanners check to see simply if the login page appears, and it does, so many folks fail security scans because of this problem.
Please just make it so that if this feature is enabled, the mere display of the login page is also prevented.
And while CF2016 does indeed limit access to the CF admin by requiring use of the internal web server, that does not change the value of the suggestion above. Someone could be accessing the Admin via the internal web server via an address other than those listed (such as non-admin folks within an organization's intranet.
Attachments:
Comments: