awakening team mailing list archive

Thread
Date

[Bug 244668] Re: Anybody can use anybody's SID with no consequences

To: awakening@xxxxxxxxxxxxxxxxxxx
From: CyB <cyb@xxxxxxxxxx>
Date: Tue, 01 Jul 2008 21:49:46 -0000
Reply-to: Bug 244668 <244668@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 244592 ***
    https://bugs.launchpad.net/bugs/244592

Duplicated: https://bugs.launchpad.net/ehub/+bug/244592

** Changed in: ehub
       Status: New => Fix Committed

-- 
Anybody can use anybody's SID with no consequences
https://bugs.launchpad.net/bugs/244668
You received this bug notification because you are a member of
Awakening, which is a direct subscriber.

Status in eHub: Fix Committed

Bug description:
I can use user commands to send a message like BMSG somesid message, where somesid can be some operator's SID. In this case, I can talk in anybody's name, but even more, I can even take all the hub commands. This is an extreme security vulnerability.

References

[Bug 244668] [NEW] Anybody can use anybody's SID with no consequences
From: Pietry, 2008-07-01