Freaking Huge Hole in 1.1.2
Brought to you by:
cknudsen
Menu
▾
▴
#2058 Freaking Huge Hole in 1.1.2
If you enable public access, they can not only edit previous public posts, but also posts made by the admin!!
Public posts should not be editible at all, or at least give the option to be turned off. What can happen is a spammer can modify previous posts (which what happened to my calendar, I had to trash the entire site extras table)
They were able to get in and modify the site extras table for ALL previous events.
This is a huge hole.
Logged In: YES
user_id=1090373
Originator: NO
You can control 'Public Access' permission to edit events with the 'User Access Control' under Settings.
-Ray
Logged In: YES
user_id=1662545
Originator: YES
The public access wasn't given access to the admin calendar to edit it. only view it. There should never be a case where the public access can edit the admin calendar, especially since there is no way to select that ability in the user access control
(under Allow Access to Other Users' Calendar)
I only allowed them access to add events. (I even tested this out with trying to edit
admin events and got denied) However, they were able to edit the site_extras table, and completely trash my calendar.
This is still a huge hole
Logged In: YES
user_id=1684623
Originator: NO
Looks like https://sourceforge.net/tracker/?func=detail&atid=103870&aid=1751928&group_id=3870
The authors don't seem to think this is a serious problems. It's fixed in cvs, but no announcement has been made and the fix hasn't been ported tot he 1.0.x series.
Logged In: YES
user_id=1090373
Originator: NO
Is this fixed for you? If so, please close this bug report.
-Ray
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 30 days (the time period specified by
the administrator of this Tracker).