emma created GUACAMOLE-507:
Summary: Allow "change own password" for user account allow to
modify / delete existing connections
Issue Type: Bug
Affects Versions: 1.0.0
Environment: Ubuntu server 16.04.3, guacamole git version client and
Testing last guacamole-client AND guacamole-server git version with TOTP
extensions ON and mysql database :
Allow "change own password" for user account allow to modify / delete existing
I create a standard user "test" by cloning the default admin account
"guacadmin". Then i just check box "change own password" nothing more, all
other boxes are blank !
Then i connect through Guacamole with that new user "test" and try to change my
password then i realized i was able to see Users and Connections tabs and
access them !
While on Users tab, i cannot modified my own user profile (access denied) on
connections tab i can modified OR delete existings connections ?!
Then i retry with a new user created WITHOUT a clone of "guacadmin" default
account, and this time it's seems to work as expected !
Worth to check that and confirm there's a security issue relating to cloning
account vs creating new account ?
Thank you !
This message was sent by Atlassian JIRA