Exploit - User can promote theirself to Admin without Admin interference
jccaribe - February 24, 2007 - 21:26
| Project: | OG Roles |
| Version: | 5.x-1.x-dev |
| Component: | User interface |
| Category: | task |
| Priority: | normal |
| Assigned: | jccaribe |
| Status: | active |
Jump to:
Description
At My web site I found one exploit wich can be solved by turning off OG Roles. Unadivised users can repeat my mistakes, follow them:
a) On User Roles, I created Admin with full acess to all modules, it´s usefull when the site has more than one manager.
b) After instaled OG modules, access OG Roles setup (dmin/og/og_roles) check the Admin above.
c) Set the rules of site to allow users to register theirself without admin interference like (this site)
d) User registered, loged in and now created an OG.
e) This user acessed Subscriber OG Rules (og/users/XXX/roles) and change hisself to Admin
f) That's all, the user now is the admin of site...
I think the user must be advised on OG Roles setup to this risk.
#1
Ok, I'll add some help or description to settings page in next release, maybe even some "role acces" scan, but I'don't think that it is "critical bug". This is at most mistake of the administrator (ie. administrator can configure that every authenticated user get "administer site" permission on the "user access" page - and there are also no warnings about this).
Changing category and priority.