Suppose that you have a group called AdminGroup with
special privileges. An attacker can then create a
*user* called AdminGroup and gain those privileges.
The work around is for the site admin to create an
account called AdminGroup and forget the password, but
a better solution would be for MoinMoin to forbid
creation of accounts which mach the page_group_regex. I
can read Python but not write it, otherwise I'd fix
this bug myself. Shouldn't be too hard, though.
Log in to post a comment.