awakening team mailing list archive

Thread
Date

[Bug 244668] [NEW] Anybody can use anybody's SID with no consequences

To: awakening@xxxxxxxxxxxxxxxxxxx
From: Pietry <pietry@xxxxxxxxxxxxxx>
Date: Tue, 01 Jul 2008 19:25:25 -0000
Reply-to: Bug 244668 <244668@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

I can use user commands to send a message like BMSG somesid message,
where somesid can be some operator's SID. In this case, I can talk in
anybody's name, but even more, I can even take all the hub commands.
This is an extreme security vulnerability.

** Affects: ehub
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
Anybody can use anybody's SID with no consequences
https://bugs.launchpad.net/bugs/244668
You received this bug notification because you are a member of
Awakening, which is a direct subscriber.

Status in eHub: New

Bug description:
I can use user commands to send a message like BMSG somesid message, where somesid can be some operator's SID. In this case, I can talk in anybody's name, but even more, I can even take all the hub commands. This is an extreme security vulnerability.

Follow ups

[Bug 244668] Re: Anybody can use anybody's SID with no consequences
From: CyB, 2008-07-01
[Bug 244668] Re: Anybody can use anybody's SID with no consequences
From: CyB, 2008-07-01
[Bug 244668] [NEW] Anybody can use anybody's SID with no consequences
From: Pietry, 2008-07-01

References

[Bug 244668] [NEW] Anybody can use anybody's SID with no consequences
From: Pietry, 2008-07-01