[wicked] Re: wicked page security
Jan Schneider
jan at horde.org
Fri Apr 15 00:15:02 PDT 2005
Zitat von Brian Martinez <martinez_brain at hotmail.com>:
> This is an excerpt from an email that I received from my manager regarding
> the Wiki.
> It may be a problem that requires examination. As it may provide users the
> capability to
> end-run security.
>
>> I just stumbled on an interesting "security hole" in the wiki. I was
>> reviewing some of Tuna's docs on the STB ops and clicked on recent
>> additions. I notice that everything was either yours or guest. However
>> there was one doc called ShoDaHo. Naturally, curiosity killed the cat (and
>> innocence). So, I clicked on the doc name to check it out. Not too
>> surprisingly, I was denied access. However, I was able to view the diffs
>> (red and blue glass) which gave me full access to the w"hole" doc (pun
>> intended). Somehow I don't think this is an intended 'feature'.
Permissions are not yet correctly checked in all places. There is
already a ticket on bugs.horde.org regarding a similar issue. Please
either add to that ticket or create a new one.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the wicked
mailing list