View Issue Details

IDProjectCategoryView StatusLast Update
0000109WackoWikiactionpublic2009-08-19 09:39
Reporteradrianw Assigned ToTann San  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version4.2 
Target Version4.3.rcFixed in Version4.3.rc 
Summary0000109: Security issue with {{usergroups}} action
Description 19-04-2005 23:23 adrianw

Thank you for the usergroups action
However there is a possible exposure.
To avoid repeated editing of the Config file I usually add several users to a group at the same time. I can do this before the users register. Then as soon as they register, they have the appropriate group permissions.
However, now anyone can use the {{usergroups}} action and check for any names who have not yet registered. Then this person could register with the name he found in the {{usergroups}} listing and gain access to resources he is not supposed to see.
I suggest the following changes to the {{usergroups}} action:
1. for admins - output as at present
2. for registered users - list the group names but only list the members of the groups that I already belong to
3. for unregistered users - no output.
TagsNo tags attached.

Relationships

parent of 0000117 resolvedadministrator GUI interface to define user groups 
related to 0000044 resolvedTann San A {{mygroups}} page action would be useful 

Activities

Tann San

2007-11-28 22:12

manager   ~0000205

Implemented as Adrian described

administrator

2007-12-29 16:58

administrator   ~0000268

Can we sort the array before?

Tann San

2007-12-30 14:48

manager   ~0000270

<kirk>need...more...info</kirk>

administrator

2007-12-30 15:07

administrator   ~0000271

Last edited: 2008-08-23 14:37

should sort the Names of the users in the group A -> Z

see http://wackowiki.org/WikiAdmin for instance

Tann San

2007-12-30 15:31

manager   ~0000272

done. now sorts group and user names.

administrator

2007-12-30 16:02

administrator   ~0000273

there is a problem see link above, seems not sort the second group correctly

Tann San

2007-12-30 16:28

manager   ~0000274

I see:

WackoWiki: <- in bold
AhA
DaCon
DidierSpaier
SebastianDietzold
TannSan
WikiAdmin <- in bold


What should I see?

administrator

2007-12-30 16:55

administrator   ~0000275

I see:

WackoWiki:
SebastianDietzold
AhA
DaCon
DidierSpaier
TannSan
WikiAdmin

2007-12-30 16:55

 

WikiAdmin (@WackoWiki).png (41,713 bytes)   
WikiAdmin (@WackoWiki).png (41,713 bytes)   

Tann San

2007-12-31 12:10

manager   ~0000276

well I'm stumped. The sort takes place on the server so we should be seeing the same results. I'll look into it more closely over the next few days although in the meantime it would help if you cleared your browser cache and tried viewing the page again.

Issue History

Date Modified Username Field Change
2007-10-14 12:38 EoNy New Issue
2007-10-14 12:38 EoNy Legacy => NEW
2007-10-14 15:03 administrator Legacy NEW => NPJ
2007-10-15 23:26 administrator Status new => acknowledged
2007-10-31 19:20 administrator Relationship added related to 0000044
2007-11-01 14:53 administrator Relationship added parent of 0000117
2007-11-28 22:10 Tann San Status acknowledged => assigned
2007-11-28 22:10 Tann San Assigned To => Tann San
2007-11-28 22:12 Tann San Status assigned => resolved
2007-11-28 22:12 Tann San Fixed in Version => 5.0.0
2007-11-28 22:12 Tann San Resolution open => fixed
2007-11-28 22:12 Tann San Note Added: 0000205
2007-12-05 00:19 administrator Reporter EoNy => adrianw
2007-12-29 16:58 administrator Note Added: 0000268
2007-12-30 14:48 Tann San Note Added: 0000270
2007-12-30 15:07 administrator Note Added: 0000271
2007-12-30 15:31 Tann San Note Added: 0000272
2007-12-30 16:02 administrator Note Added: 0000273
2007-12-30 16:28 Tann San Note Added: 0000274
2007-12-30 16:55 administrator Note Added: 0000275
2007-12-30 16:55 administrator File Added: WikiAdmin (@WackoWiki).png
2007-12-31 12:10 Tann San Note Added: 0000276
2008-08-23 14:37 administrator Note Edited: 0000271
2009-08-19 09:22 administrator Fixed in Version 5.0.0 => 4.3.rc
2009-08-19 09:39 administrator Target Version => 4.3.rc
2010-03-08 10:09 administrator Category Action => action