awakening team mailing list archive

Thread
Date

[Bug 244668] Re: Anybody can use anybody's SID with no consequences

To: awakening@xxxxxxxxxxxxxxxxxxx
From: CyB <cyb@xxxxxxxxxx>
Date: Tue, 01 Jul 2008 21:56:22 -0000
Reply-to: Bug 244668 <244668@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 244592 ***
    https://bugs.launchpad.net/bugs/244592

** This bug has been marked a duplicate of bug 244592
   Need to verify message sources

-- 
Anybody can use anybody's SID with no consequences
https://bugs.launchpad.net/bugs/244668
You received this bug notification because you are a member of
Awakening, which is a direct subscriber.

Status in eHub: Fix Committed

Bug description:
I can use user commands to send a message like BMSG somesid message, where somesid can be some operator's SID. In this case, I can talk in anybody's name, but even more, I can even take all the hub commands. This is an extreme security vulnerability.

References

[Bug 244668] [NEW] Anybody can use anybody's SID with no consequences
From: Pietry, 2008-07-01