You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by Zhengrong Jerry Liu <zj...@cs.stanford.edu> on 2001/06/29 06:31:35 UTC
Security Hole in Turbine 2.1
Hi,
I am playing with tdk2.1. When looking at the Flux, the buildin
accounting and access control application, I noticed there is
no security check for account management actions. So, a
user not in the turbine_role can add a new account by posting
the requestion directly to the server. For example, a regular
user can go to this URL
http://server_name/turbine/servlet/Turbine/template/user%2CFluxUserForm.vm/username/sfdla?mode=insert
directly and adds a new account.
Regards,
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-dev-help@jakarta.apache.org