[podwiki] MAJOR BUG detected - user-based authentication/authorization FAILURE
Brought to you by:
zarahg
Menu
▾
▴
[podwiki] MAJOR BUG detected - user-based authentication/authorization FAILURE
|
From: Thomas L. <to...@co...> - 2004-05-24 08:08:45
|
Hi, this my very first security advisory (he he).. I've detected a major bug in the PodWiki Authentication code which affects user-based authorization. If a page ise read or write protected by user (write = user:scip) then any logged in user will be granted permission. The authorization code ignores the "user:" stuff completely. The bug can be observed here: http://sourceforge.net/tracker/index.php?func=detail&aid=959294&group_id=107739&atid=649244 There is currently only one workaround possible: do not use user-based authentication. And, make regular backups of your data/ directory, just in case someone edits pages, who is not allowed to do so. I'll try my best to fix this BUG asap. Thanks, and kind regards, Tom -- Thomas Linden (http://www.daemon.de/) tom at co dot daemon dot de $_=`perl -v`;s;^.*ll;;s;$^=unpack"u", "'8V]D;')E<```";s;\W;;gs;$/=7* ($^=~s;.;;g);%^=map{$_=>1}split//,lc;$_=join$\, (sort keys(%^))[map{ ord($_)-$/}split//,'1I7E13?@E:7C1A7C=1:35<7C'];s"0(.)" \U$1"g;print; |
