[kronolith] A security bug?
Jeff Graves
jeff@image-src.com
Fri, 11 Jan 2002 09:42:24 -0500
Check out Michael Cochrane's horde/imp patch for this:
>
> I'd like to be able to automatically refresh the parent frame after
> logging in (so that the administration icon appears in the lower
> menubar and disappears upon logout)
http://www.graftonhall.co.nz/mikes/Horde%20Diffs/Refresh%20Horde%20Menu/
It's doesn't remove the security bug (as anyone can access horde/admin)
but gets rid of the immeadiate problem of giving an icon to the user.
Jeff Graves
Customer Support Engineer
Image Source, Inc.
10 Mill Street
Bellingham, MA 02019
508.966.5200 X31 - Phone
508.966.5170 - Fax
jeff@image-src.com - Email
-----Original Message-----
From: Jan Schneider [mailto:jan@horde.org]
Sent: Friday, January 11, 2002 5:42 AM
To: kronolith@lists.horde.org
Cc: Atif Ghaffar
Subject: Re: [kronolith] A security bug?
Zitat von Pasi Savilaakso <larskis@nietos.tokem.fi>:
> I tested an admin array on Horde 2 and found out the following
"security
> hole". if i am logged on as one of the admins and refresh the screen
> admin "button appears at the bottom of the screen. After pressing the
> logout button in th right upper corner admin button remains at the
> program bar at the bottom. Now i can login with another user (who is
not
> an admin) and still enter the admin part of the horde and change the
> values. I have not made any special changes to the files.
The admin directory isn't secured by the admin array, but users.php
can't
be accessed if you're not logged in as an admin.
I think the css editor doesn't check for admin rights, but that's
because
it hasn't been maintained for a while. But it works only if the
webserver
has write rights on the html.php files anyway.
Atif, do you want to check for admin rights in the css editor?
Jan.
--
::::::::::::::::::::::::::::::::::::::::
AMMMa AG - discover your knowledge
:::::::::::::::::::::::::::
Detmolder Str. 25-33 :: D-33604 Bielefeld
fon +49.521.96878-0 :: fax +49.521.96878-20
http://www.ammma.de
::::::::::::::::::::::::::::::::::::::::::::::
--
Kronolith mailing list: http://horde.org/kronolith/
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: kronolith-unsubscribe@lists.horde.org