Jörn Nettingsmeier wrote:
hi *!
when i tried to use the currently "hidden" admin.changePassword usecase,
i realized it is quite hard to use, because it will throw a very nasty
exception if one does not also set the userId parameter. this is
unintuitive imho: if userId is not set explicitly, it should default to
changing the password of the currently active user.
the attached patch tries to accomplish this. could you please review it?
i just realized we have a huuuuge security hole that affects every lenya
1.4 installation:
* checkOldPassword is set by the (potentially hostile) client.
* the java code does not check that only admins may change passwords for
other user-ids than the currently logged-in one.
ergo any user can change the passwords of arbitrary other users,
including admins. instant dos and privilege escalation, remotely
exploitable. not nice at all.
to reproduce the problem, do the following:
1. in the default publication, log in as lenya/levi.
2. create a guest account with limited rights.
3. log out.
4. log in as guest.
5. append the following to the url in your browser:
?lenya.usecase=admin.changePassword&userId=lenya&checkOldPassword=0
(the last part is not even necessary, since checkOldPassword defaults to
null)
6. change the password of user lenya.
the fact that the changePassword usecase is not accessible via the menu
does nothing to alleviate the problem, it merely means that this option
is only available to the bad guys. :(
i will try to fix this on friday if no one gets to do it tomorrow.
bed now.
regards,
jörn
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
