Descriptive Problem Summary:
When submitting a bug, one can edit the Author field, so somebody could submit a bug under a foreign key.
This report has been submitted by me (with the friendly authorisation of COnfuesSHhg), but is set under his name and added to his 'My Issues', together with edit rights for his key.
(The credit for the bug should still go to him though, if it is one.)
Numbered Steps to Reproduce Problem:
Report a bug and change the Author field.
Expected Results:
A security alert of some sort and the server not accepting the report.
Actual Results:
The server does not seem to check if the key that is logged in on the homepage and the Author field correlate, so it just sets the bug-report under a foreign key.
Does the problem occur:
Every time? Or how often? Every time
In other user accounts? Yes
On other computers? N/A
Workarounds:
The server should check if Author and logged in key are identical and only then allow the report.
ID:79957
Aug 21 2009, 3:57 am
|
|||||||||||
Not a bug
| |||||||||||
However if I'm missing something about this report that does point to a security issue, like perhaps regular users having access to that author-changing ability, that would be quite helpful to know.