Deleted users with Role != Deleted
Issue #1741
resolved
While "playing" with the biblicious database for my master thesis i figured out that some deleted users (user_password = "inactive") are not marked as deleted (role != 3). this means that an attacker only need to find out the user name to log in a deleted account (we have added an AuthProvider that does not hash the password before comparing it with the database value, so "inactive" works as password). Marking the deleted users with role = 3 deactivates the user and solves the problem.
Could someone of the senior developers please check if BibSonomy's database also contains these illegal values
Comments (8)
-
-
reporter
query should be: UPDATE user SET role = 3 where user_password = 'inactive';
-
reporter
checked the updated_by column: not all users that have "inactive" and not role 3 are updated by "on_delete". Some admins (mark as not spam, spam to move all posts to spammer groups) and some null values.
-
reporter
- changed version to 2.0.42
- edited description
-
reporter
- changed status to open
please fix on the production system
-
reporter
- changed component to database
-
reporter
- changed version to 2.0.43
-
reporter
- changed status to resolved
- Log in to comment
still there