Jörn Nettingsmeier wrote:
> i just realized we have a huuuuge security hole that affects every lenya
> 1.4 installation:
>
> * checkOldPassword is set by the (potentially hostile) client.
> * the java code does not check that only admins may change passwords for
> other user-ids than the currently logged-in one.
>
> ergo any user can change the passwords of arbitrary other users,
> including admins. instant dos and privilege escalation, remotely
> exploitable. not nice at all.
<..>
> i will try to fix this on friday if no one gets to do it tomorrow.
hi guys! before i try to implement it, please comment on this new policy
for changing passwords:
/**
* Usecase to change a user's password.
*/
public class UserPassword extends AccessControlUsecase {
/*
If the optional parameter "userId" is not set, we assume that the
password of the currently logged in user is to be changed.
Non-privileged users (i.e. those not belonging to the "admin" group)
cannot set userId to another user, i.e. they can only ever change
their own passwords.
Privileged users (those in the admin group) can set userId, and thus
change the passwords of other users.
All users will have to provide their own password again when they
try to change passwords, regardless of the fact that they are
already authenticated.
This is to protect users who leave their session unattended "for
just a second" from having their passwords changed by passers-by.
a formerly existing parameter "checkPassword", which could be
used to override this password check, has been abolished for
security reasons.
*/
as you see, this adds a very special meaning to the group "admin". is
that appropriate and in keeping with current usage? if so, i want to
make sure that this is sufficiently documented. where are the current
semantics of the admin group defined? (if the answer is "in the source
code somewhere", bzzzt, zero points.) what would be the best place to
define security semantics authoritatively?
regards,
jörn
--
"Án nýrra verka, án nútimans, hættir fortíðin að vekja áhuga."
"Without new works, without the present the past will cease to be of
interest."
- Ásmundur Sveinsson (1893-1982)
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
