Ticket #155 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

It's possible to register accounts with the same name as permission groups

Reported by: itamar@itamarst.org Assigned to: mgood
Priority: highest Component: AccountManagerPlugin
Severity: critical Keywords:
Cc: gunnar Trac Release: 0.8

Description

The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.

Attachments

Change History

06/15/06 16:10:36 changed by gunnar

  • cc set to gunnar.
  • release set to 0.8.

07/19/06 22:06:45 changed by mgood

  • priority changed from normal to highest.
  • status changed from new to assigned.

07/19/06 22:54:24 changed by mgood

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [1045]) disallow registration of accounts which have existing permissions (fixes #155)

Add/Change #155 (It's possible to register accounts with the same name as permission groups)




Change Properties
Action