All I get is "You do not have access to these portlets". And any additional pane tabs with the configure icon that can be configured (bug 15968).
My version said 1.4-b4-dev. Perhaps that nightly was a little too early? I got mine by CVS mid day 1/15 CST. There is a nightly 1/16 out there already, try that. -jim > > I downloaded the 1-15 nightly build today, tested this issue, and I am still seeing this hole. > > All I am doing is > > 1)Creating 2 jetspeed users with the admin account > 2)modifying each of the psml files to be different in content, > 3)Logging in with one user and then substituting the other user ID in the url. > 4)The other user's content is displayed with out any problem. > > Any thoughts? > > Jim Arnott <[EMAIL PROTECTED]> wrote: > > > > >In the latest CVS version, this is no longer the case. See > >http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15968 for more info. > > > >jim arnott > >Reuters R&D > > > >On Wed, 15 Jan 2003, Brad Straw wrote: > > > >> Hi, > >> > >> I have seen one other reference in the mailing list regarding a security hole, but I want to clarify this issue. �The following url is displayed on the address bar: > >> > >> http://localhost:8080/portal/media-type/html/user/bstraw001/page/default.psml/js _pane/P-f2c3135036-10001 > >> > >> This url design was not present in version 1.3a2. > >> > >> By substituting the userid with another valid userid, I can see the other user's content. > >> > >> Any thoughts? Mitigating controls? �Missed configuration? > >> > >> __________________________________________________________________ > >> The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp > >> > >> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ > >> > >> -- > >> To unsubscribe, e-mail: � <mailto:[EMAIL PROTECTED]> > >> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > >> > >> > > > > > >-- > >To unsubscribe, e-mail: � <mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > > > __________________________________________________________________ > The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp > > Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > Visit our Internet site at http://www.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
