Modify

Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#155 closed defect (fixed)

It's possible to register accounts with the same name as permission groups

Reported by: itamar@… Owned by: mgood
Priority: highest Component: AccountManagerPlugin
Severity: critical Keywords:
Cc: gunnar Trac Release: 0.8

Description

The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.

Attachments (0)

Change History (3)

comment:1 Changed 8 years ago by gunnar

  • Cc gunnar added
  • Trac Release set to 0.8

comment:2 Changed 8 years ago by mgood

  • Priority changed from normal to highest
  • Status changed from new to assigned

comment:3 Changed 8 years ago by mgood

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [1045]) disallow registration of accounts which have existing permissions (fixes #155)

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.