[prev in list] [next in list] [prev in thread] [next in thread]
List: turbine-dev
Subject: Security Hole in Turbine 2.1
From: Zhengrong Jerry Liu <zjl () cs ! stanford ! edu>
Date: 2001-06-29 4:31:35
[Download RAW message or body]
Hi,
I am playing with tdk2.1. When looking at the Flux, the buildin
accounting and access control application, I noticed there is
no security check for account management actions. So, a
user not in the turbine_role can add a new account by posting
the requestion directly to the server. For example, a regular
user can go to this URL
http://server_name/turbine/servlet/Turbine/template/user%2CFluxUserForm.vm/username/sfdla?mode=insert
directly and adds a new account.
Regards,
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-dev-help@jakarta.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic