It's possible to register accounts with the same name as permission groups
|Reported by:||itamar@…||Owned by:||mgood|
The documentation suggests you can create permission groups, assign them permissions, and then assign that group as a permission to a user. A malicious attacker can then register a user with the same name as a permission group, thus gaining all the permissions of that group.
Change History (3)
comment:2 Changed 10 years ago by mgood
- Priority changed from normal to highest
- Status changed from new to assigned