Opened 11 years ago

Closed 10 years ago

Last modified 10 years ago

#155 closed defect (fixed)

It's possible to register accounts with the same name as permission groups

Reported by: itamar@… Owned by: mgood
Priority: highest Component: AccountManagerPlugin
Severity: critical Keywords:
Cc: gunnar Trac Release: 0.8


The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.

Attachments (0)

Change History (3)

comment:1 Changed 10 years ago by gunnar

  • Cc gunnar added; anonymous removed
  • Trac Release set to 0.8

comment:2 Changed 10 years ago by mgood

  • Priority changed from normal to highest
  • Status changed from new to assigned

comment:3 Changed 10 years ago by mgood

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [1045]) disallow registration of accounts which have existing permissions (fixes #155)

Add Comment

Modify Ticket

as closed The owner will remain mgood.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.