MoinMoin

Tracker: Bugs

5 SECURITY: possible way to defeat ACLs - ID: 948103

Last Update: Comment added ( thomaswaldmann )

Details:

Suppose that you have a group called AdminGroup with
special privileges. An attacker can then create a
*user* called AdminGroup and gain those privileges.

The work around is for the site admin to create an
account called AdminGroup and forget the password, but
a better solution would be for MoinMoin to forbid
creation of accounts which mach the page_group_regex. I
can read Python but not write it, otherwise I'd fix
this bug myself. Shouldn't be too hard, though.

Submitted:

Michael Castleman ( mlc ) - 2004-05-05 00:25

Priority:

Status:

Closed

Resolution:

None

Assigned:

Nobody/Anonymous

Category:

None

Group:

None

Visibility:

Public

Comment ( 1 )

Date: 2004-05-06 19:47 Sender: thomaswaldmann Logged In: YES user_id=100649 Fixed in arch branch moin--main--1.2. Will also be in 1.2.2, when it is released. Thanks for reporting!

Attached File

Changes ( 2 )

Field	Old Value	Date	By
status_id	Open	2004-05-06 19:47	thomaswaldmann
close_date	-	2004-05-06 19:47	thomaswaldmann

MoinMoin

Tracker: Bugs

Comment ( 1 )

Attached File

No Files Currently Attached

Changes ( 2 )

About SourceForge

Find Software

Develop Software

Community

Help