Minor security updates.

January 27, 2004

Security never stops, now does it?

Fixes include:

It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).

Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.

It was possible to delete other people’s personal events if you knew the event ID.

It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).

Due to an XSS issue, it was possible to change someone’s account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
The comment display suffered from the possibility of an SQL injection (reported by Jelmer).

It was possible to inject Javascript code in the calendar (reported by Jelmer).

It was possible to execute (but not save) Javascript code in the comment preview (reported by Jelmer).

-david macias

posted in General News by dmacias

Follow comments via the RSS Feed | Leave a comment | Trackback URL

Leave Your Comment

Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org