Menu
▾
▴
[PhpHelpdesk-devel] Security Bug - add/delete user problem
|
From: Kevin M. S. <sh...@cg...> - 2001-11-14 13:23:28
|
I am cross-posting this here as well as the support request board. I am sorry if you are seeing this multiple times. -k ------- If a privileged account deletes a Department before deleting the users assigned to that department, then the user is unable to be deleted or modified, but still has the ability to login. I discovered this during the implementation. I used the phphelpdesk.mysql to create my datatbase. I wanted to test behavior with the sample data first. When I was done cleaning out the phoney data with the web interface, I went back and tried to login in with "it"/"it". I was surprised to see that I got in. I have a detailed explanation below. Any questions feel free to email me. ---- load page: http://phphelpdesk.yourdomain.com/index.php 1. Login. 2. Click on "Add Department", Follow proper steps to add the department. To test, do not be bothered aligning permissions, any will do. I added (testdepartment). 3. When main page returns, click on "Add User", Follow proper steps, be sure that you adding your user to the "testdepartment" ONLY. If two departments are assigned to one user, and one department get's deleted, then some useless data is left behind in some tables, but no security hole should exist. I added (testuser2). 4. Now verify from the mysql prompt that both department and user exist as expected. My table output is here: mysql> select * from department; +----------------+ | d_name | +----------------+ | Client | | Internal | | testdepartment | +----------------+ 3 rows in set (0.00 sec) mysql> select * from userdepartments ; +-------+-----------+----------------+ | ud_id | s_user | d_name | +-------+-----------+----------------+ | 2 | admin | Client | | 6 | testuser2 | testdepartment | | 5 | admin | testdepartment | | 3 | shortt | Client | | 1 | admin | Internal | | 4 | shortt | Internal | +-------+-----------+----------------+ 6 rows in set (0.00 sec) mysql> select s_user from security; +-----------+ | s_user | +-----------+ | admin | | shortt | | testuser2 | +-----------+ 3 rows in set (0.00 sec) mysql> 5. Click on "Delete Department". Follow the proper steps to delete a department. I deleted (testdepartment). 6. Now verify from the mysql prompt that department was deleted as expected. Notice that testuser2 still exists in the security table.My table output is here: mysql> select * from department; +----------+ | d_name | +----------+ | Client | | Internal | +----------+ 2 rows in set (0.00 sec) mysql> select * from userdepartments; +-------+--------+----------+ | ud_id | s_user | d_name | +-------+--------+----------+ | 2 | admin | Client | | 3 | shortt | Client | | 1 | admin | Internal | | 4 | shortt | Internal | +-------+--------+----------+ 4 rows in set (0.00 sec) mysql> select s_user from security; +-----------+ | s_user | +-----------+ | admin | | shortt | | testuser2 | +-----------+ 3 rows in set (0.00 sec) mysql> 7. Click on "Delete User". The only users (in my case) to choose are "shortt"and "admin". 8. Log out. 9. Log back in using testuser2. Bingo!!! you're back in. |
