We recently found a security issue on our in house CRM system caused by a vulnerability with the Model.User.xafml file and many users using the same machine.
The CRM’s files are copied down onto each machine from the server it is deployed automatically every time we release an update. By default DevExpress stores the Model.User.xafml file locally with the rest of the CRM’s install files, in this case we store the application on the C:\Drive so many users can access the application.
The Model.User file saves a user’s preferences such as default sorting on list views, custom column arrangements, their default skin and also the tabs that they last had open upon closing the application, this is what caused our security issue as the Model.User file remembers these tabs and reopens them the next time the application is ran.
We use windows authentication within our CRM and have many different security levels ranging from the everyday user with basic access to managers and administrators with administrator access. All have different permissions on what navigation items they can see and what business objects they can view and edit. The issue we found was that if an administrator or manger left a number of tabs open when they close the application then they would get saved into the Model.User file on the C:\Drive. Then if a different user with lesser permissions would open the application, they would see the tabs which were left open from last time the application was closed, they would then potentially be able to see the information left open on these tabs, information which they would not usually have access too.
To overcome this issue we decided it would be best to store a Model.User file for each individual user in their AppData folder. To do so we had to set the TraceLogLocation and UserModelDiffsLocation value to CurrentUserApplicationDataFolder in our App.config file.
Now our solution stores a separate Model.User file for each user which uses our application in their personal folder so upon running the application it will use their own Model.User file from their AppData folder and therefore eliminating the security risk.