Maemo.org security vulnerability?
 

I would like to bring this issue, which I believe is a vulnerability that grants people access to the administration area, to the attention of the staff members.

Basically what happens is that when I login I sometimes get access (the links appear at the top of the page) to admin areas where I can edit sensitive information, as you can see from the screenshot (attachment).

Re: Maemo.org security vulnerability?
 

Screenshot is too small.
Maybe they're going to make you the new admin :rolleyes:

Re: Maemo.org security vulnerability?
 

what sensitive information? and wtf with sometimes? those are always there when your user account has sufficient rights to access certain features of midgard. don't know if the policies are too loose though.

Re: Maemo.org security vulnerability?
 

When you select "website" on that menu at the top is "Midgard Administration UI" enabled or is it grayed out?

Re: Maemo.org security vulnerability?
 

Not my fault, the website resizes the image when I upload it.

Stuff like page metadata and stuff related to administration.


No. They don't always appear. Which is why I'm saying it's a bug or something.

Well my account has no rights at all, I'm not part of the staff.

Re: Maemo.org security vulnerability?
 

So.. apart from regular users who can't do anything about it, nobody cares? Interesting.

Re: Maemo.org security vulnerability?
 

gimme an extra thousand 'thanks' and watch the uproar that ensues over that! :) maybe pm'ing a mod directly might be more effective for getting their attention though?

Re: Maemo.org security vulnerability?
 

Hey, I'm not their security advisor. The mods should be checking out every thread anyway. If they don't care, I'm not going to bother PM'ing them.

Re: Maemo.org security vulnerability?
 

Yesterday I saw Reggie viewing this thread ,he didnt respond hence there is nothing to worry about :)

Re: Maemo.org security vulnerability?
 

Then can you please do one of:

1. Attach it to a new bug report, including details of what you did to get there; the username you've logged on with and a series of screenshots showing each expanded menu entry.
2. Crop it and re-attach.

(1) would be the most productive, FWIW.

Reggie has no control over the Midgard portion of maemo.org.

Re: Maemo.org security vulnerability?
 

URL for raising this as a bug:

https://bugs.maemo.org/enter_bug.cgi....org%20Website

Re: Maemo.org security vulnerability?
 

I'm very sorry man, it's been a few days and when HellFlyer said that Reggie saw it and it's all ok I deleted the screenshot, I figured you either didn't really care or you knew about it..

Anyway my guess (just a hypothesis) is that Midgard has a serious flaw in that it checks the validity of the username and password independently. In other words, you can, in theory, log in with a user name from any valid account and a password from any other valid account. I'm saying this because basically what happened was I logged in with Safari but I only wrote my username and the browser filled in the password for me (must have been another password because I don't usually use Safari). I was then logged in as Technical GanXta instead of giecsar, as you can see from the screenshot (that text is actually readable).

Re: Maemo.org security vulnerability?
 

Nope, though in this case authentication is done via pam from garage db so the postgres end might have issue, but read on.

More likely is that for reason you managed to somehow hit page that was cached for another user. I can't check this in detail now since I'm on a business trip but I emailed some people to look into it.