Deleted users with Role != Deleted

Create issue
Issue #1741 resolved
Daniel Zoller created an issue

While "playing" with the biblicious database for my master thesis i figured out that some deleted users (user_password = "inactive") are not marked as deleted (role != 3). this means that an attacker only need to find out the user name to log in a deleted account (we have added an AuthProvider that does not hash the password before comparing it with the database value, so "inactive" works as password). Marking the deleted users with role = 3 deactivates the user and solves the problem.

Could someone of the senior developers please check if BibSonomy's database also contains these illegal values

Comments (8)

  1. Daniel Zoller reporter

    checked the updated_by column: not all users that have "inactive" and not role 3 are updated by "on_delete". Some admins (mark as not spam, spam to move all posts to spammer groups) and some null values.

  2. Log in to comment