Possible bug: Servershield available in all suscriptions with admin permissions

[CrK01]

We are using latest plesk version 12.5 with all MU applied, and we turned on cloudflare to test this service ( free license ). ( CentOS 6.7 )

It all worked OK , service and plesk are working well, but we noticed that with a limited subscriptors account ( some account we set, with web admin role, and limited permissions to their own suscription ) our customers have access to enable and disable all cloudflare suscriptions to all domains the server has.

It's a potential security problem, as any customer who has access to their own account, can disable other customer's cloudflare settings, enable,disable or modify anything.

 

[custer]

Hi,

Thanks for letting us know about this issue. We've notified CloudFlare about this problem - will keep you updated.

 

[custer]

CloudFlare could not reproduce this problem, unfortunately. Сфт you provide specific steps you took, so that they can replicate it?

 

[CrK01]

Yes:

1 - Enable cloudflare server-wide with free license
2 - Create an user to that suscription ( Administrator web role ) and access only to that suscription
3 - Login with that new user
4 - Go to Server SHield and you can see all suscription buttons

If you need I think we can make a "demo" user to test it

 

[Cami]

Kamilla is here from CloudFlare. Thanks for the steps. Demo would be very useful as well. Please connect with me via [email protected] and we can use skype or gotomeeting for a demo.
Many thanks,
Kamilla

 

[Edi Duluman]

I just installed this extension and I have the same situation. I have access to all available subscriptions from an user that has been assigned to one subscription only.

Plesk 12.5, Admin Edition, Debian 8.3