unity-idm-discuss

[Unity-idm-discuss] security issue for contents managers

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I found a security issue for contents manages. If a users has
sys:AuthorizationRole Contents Manager, the user is able to "update"
his privileges and set the sys:AuthorizationRole to System Manager.
After a new login the user controls the whole system.

IMHO the update of this attribute beyond the own role must be prohibit.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] security issue for contents managers

[Krzysztof B. <kb...@un...>]

Hi Sadner,

W dniu 06.06.2018 o 11:08, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I found a security issue for contents manages. If a users has
> sys:AuthorizationRole Contents Manager, the user is able to "update"
> his privileges and set the sys:AuthorizationRole to System Manager.
> After a new login the user controls the whole system.
>
> IMHO the update of this attribute beyond the own role must be prohibit.
>

Yeah, you are right, opening a ticket for this.

Thanks,
Krzysztof