[JIRA] [ci-game] (JENKINS-18568) Security Issue: score may be modified in people -> configure screen

[burntcornmuf...@gmail.com (JIRA)]

Brandon McKenzie created JENKINS-18568 Security Issue: score may be modified in people -> configure screen Issue Type: Bug Affects Versions: current Assignee: redsolo Attachments: CI-game exploit.png Components: ci-game Created: 01/Jul/13 8:04 PM Description: In Jenkins, if a user accesses the People page, then accesses any user page, the score for that user is displayed in a disabled field. Using the Firefox html inspector (Firefox -> Web Developer -> Inspector), a user may click on the disabled field, then modify the value field for the game.score control in the inpector's view of the page source. Upon clicking save in Jenkins, the new score is committed to the scoreboard. Environment: Windows + Firefox browser session connected to remote Jenkins server Project: Jenkins Labels: security plugin Priority: Blocker Reporter: Brandon McKenzie

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.