#51 SECURITY: possible way to defeat ACLs

closed
nobody
None
5
2004-05-06
2004-05-05
No

Suppose that you have a group called AdminGroup with
special privileges. An attacker can then create a
*user* called AdminGroup and gain those privileges.

The work around is for the site admin to create an
account called AdminGroup and forget the password, but
a better solution would be for MoinMoin to forbid
creation of accounts which mach the page_group_regex. I
can read Python but not write it, otherwise I'd fix
this bug myself. Shouldn't be too hard, though.

Discussion

  • Thomas Waldmann

    Thomas Waldmann - 2004-05-06
    • status: open --> closed
     
  • Thomas Waldmann

    Thomas Waldmann - 2004-05-06

    Logged In: YES
    user_id=100649

    Fixed in arch branch moin--main--1.2.

    Will also be in 1.2.2, when it is released.

    Thanks for reporting!

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks