[MAGNOLIA-3006] privileges escalation by logged user Created: 14/Jan/10 Updated: 02/Apr/13 Resolved: 15/Mar/10 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | admininterface, security |
| Affects Version/s: | 4.2.3 |
| Fix Version/s: | 4.3, 4.2.4, 4.1.6 |
| Type: | Bug | Priority: | Blocker |
| Reporter: | Jan Haderka | Assignee: | Jan Haderka |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Template: |
|
||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||
| Description |
|
Under certain conditions it is possible for knowledgeable user to escalate his/her own privileges to more then originally assigned. The "user" in question must be valid user with access to admin central. The issue doesn't affect anonymous user. |
| Comments |
| Comment by Philipp Bärfuss [ 12/Mar/10 ] |
|
The ACLs were added because the user must be able to change its own password. I would go for a) as this is the only save solution. But then we have to ensure that the user can change his properties in the dialog (but not the group and role assignments) |
| Comment by Magnolia International [ 12/Mar/10 ] |
|
Maybe this is related: |