[patch] Case sensitive Authentication, but Case in-sensitive Authorization.
|Reported by:||andrew.krock@…||Owned by:||hasienda|
|Cc:||trac-hacks@…, snoopotic@…, mmitar@…||Trac Release:||0.11|
I recently had an issue with my trac install and one of my programers. I am useing the following plugins:
- WebAdmin (from the trac website)
- TracAccountManager? (from trac-hacks)
My new programmer complained that he did not have the adequate permissions that he should have, so I created a test account named "test", and added it to the same permission-groups as that programmers account. All the permissions were set properly, the problem came from the fact that his account name contained uppercase letters. Creating an account called "TEST" and not enabling any permissions, gave me all the permissions assigned to the acount "test". To the login system "TEST" and "test" are completely different, however to the authorization (permission) system "TEST" and "test" are the exact same accounts, and furthermore will only apply the permissions set to the account "test" to both accounts when logged in.
This is a pretty big security hole in the AccountManagerPlugin System, as anyone can register an account using any combination of uppercase letters for any of your users or even permission groups.
This is pretty severe, I don't wish to have to add permissions for every combination of my admin accounts just to prevent anyone from hacking into my trac.
Change History (26)
comment:8 follow-up: ↓ 11 Changed 7 years ago by mgood
- Resolution set to fixed
- Status changed from new to closed
comment:9 follow-up: ↓ 10 Changed 7 years ago by ThurnerRupert
- Resolution fixed deleted
- Status changed from closed to reopened
comment:15 in reply to: ↑ 13 Changed 6 years ago by pacopablo
- Owner changed from mgood to pacopablo
- Status changed from reopened to new
Changed 5 years ago by manski
comment:19 in reply to: ↑ 16 Changed 3 years ago by hasienda
- Keywords needinfo auth permission added
- Owner changed from pacopablo to hasienda
- Summary changed from Case sensitive Authentication, and Case in-sensitive Authorization. to Case sensitive Authentication, but Case in-sensitive Authorization.
comment:20 in reply to: ↑ 17 Changed 3 years ago by hasienda
- Keywords needinfo removed
- Priority changed from highest to high
- Severity changed from blocker to critical
- Status changed from new to assigned
- Summary changed from Case sensitive Authentication, but Case in-sensitive Authorization. to [patch] Case sensitive Authentication, but Case in-sensitive Authorization.
comment:21 Changed 3 years ago by hasienda
- Resolution set to fixed
- Status changed from assigned to closed