SECURITY: possible way to defeat ACLs
Brought to you by:
jhermann,
thomaswaldmann
Suppose that you have a group called AdminGroup with
special privileges. An attacker can then create a
*user* called AdminGroup and gain those privileges.
The work around is for the site admin to create an
account called AdminGroup and forget the password, but
a better solution would be for MoinMoin to forbid
creation of accounts which mach the page_group_regex. I
can read Python but not write it, otherwise I'd fix
this bug myself. Shouldn't be too hard, though.
Logged In: YES
user_id=100649
Fixed in arch branch moin--main--1.2.
Will also be in 1.2.2, when it is released.
Thanks for reporting!