Issue 947531
Created on 2004-05-04 08:08 by anonymous, last changed 2004-05-04 08:08 by anonymous.
|
| msg1201 |
Author: [hidden] (anonymous) |
Date: 2004-05-04 08:08 |
|
This is a MAJOR security hole.
If one user A logs into roundup and is in the process of
creating an issue but has not yet hit "submit" and
meanwhile another user B happens to log in, then user A's
issue is created as if he was B -- in general, A's entire
session becomes as if his identity became B, including for
example, the "Hello, A" text miraculously turning into
"Hello, B"
And when multiple users are trying to use the tracker
simultaneously, complete chaos results, as it did when I
was trying to tutor 8 people simultaneously to use the
tracker.
To reproduce, visit www.hotchips.org:8088/coolchips
and repeat the steps described above, with A =
suds/suds and B = admin/admin or vice-versa.
Please contact me at suds@sudhakar.net if needed.
|
| msg1202 |
Author: [hidden] (richard) |
Date: 2004-05-04 10:49 |
|
Logged In: YES
user_id=6405
This is a known and fixed bug.
Yes, I hope to get a fixed release out soon.
|
|
| Date |
User |
Action |
Args |
| 2004-05-04 08:08:41 | anonymous | create | |
|