Context Navigation

Modify ↓

#155 closed defect (fixed)

It's possible to register accounts with the same name as permission groups

Reported by:	itamar@…	Owned by:	Matt Good
Priority:	highest	Component:	AccountManagerPlugin
Severity:	critical	Keywords:
Cc:	Gunnar Wagenknecht	Trac Release:	0.8

Description

The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.

Attachments (0)

Change History (3)

comment:1 Changed 19 years ago by Gunnar Wagenknecht

Cc:	Gunnar Wagenknecht added; anonymous removed
Trac Release:	→ 0.8

comment:2 Changed 19 years ago by Matt Good

Priority:	normal → highest
Status:	new → assigned

comment:3 Changed 19 years ago by Matt Good

Resolution:	→ fixed
Status:	assigned → closed

(In [1045]) disallow registration of accounts which have existing permissions (fixes #155)

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Matt Good.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: