You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@turbine.apache.org by Zhengrong Jerry Liu <zj...@cs.stanford.edu> on 2001/06/29 06:31:35 UTC

Security Hole in Turbine 2.1

Hi,

I am playing with tdk2.1.  When looking at the Flux, the buildin
accounting and access control application, I noticed there is
no security check for account management actions.  So, a
user not in the turbine_role can add a new account by posting
the requestion directly to the server.  For example, a regular
user can go to this URL


http://server_name/turbine/servlet/Turbine/template/user%2CFluxUserForm.vm/username/sfdla?mode=insert

directly and adds a new account.

Regards,
Jerry




---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-dev-help@jakarta.apache.org