Modify

Opened 12 years ago

Closed 11 years ago

Last modified 11 years ago

#155 closed defect (fixed)

It's possible to register accounts with the same name as permission groups

Reported by: itamar@… Owned by: Matt Good
Priority: highest Component: AccountManagerPlugin
Severity: critical Keywords:
Cc: Gunnar Wagenknecht Trac Release: 0.8

Description

The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.

Attachments (0)

Change History (3)

comment:1 Changed 11 years ago by Gunnar Wagenknecht

Cc: Gunnar Wagenknecht added; anonymous removed
Trac Release: 0.8

comment:2 Changed 11 years ago by Matt Good

Priority: normalhighest
Status: newassigned

comment:3 Changed 11 years ago by Matt Good

Resolution: fixed
Status: assignedclosed

(In [1045]) disallow registration of accounts which have existing permissions (fixes #155)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Matt Good.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.