Piotr Sobiech
|
Posted: March 08, 2010 14:33 by Piotr Sobiech
|
|
Orginal topic: http://kenai.com/projects/help/forums/bugs/topics/2574--Anonymous-User-owns-our-project-#p7170 Sorry about the duplication, but i think this is kind of urgent. It seems, that the bug still exists, the actual names of projects 'taken' by the Anonymous User with userid = 2 are: Account, Android Menu, Assignment2 - Drinks Machine, BOLS_Ltd, BlueJ plugin for NetBeans, CPSC-3125, CajaTramiteV2, CearĂ¡ Java User Group, Colosug Opensolaris Distribution, CparcDef, DesgrelServicios2, ETDS Registration Application, Ensamblador, GUI project for 3916, Gestion1, I Battle HYG, IPL DEV, Insenerlahendused, JPA workshop., JVeterinarySystem, JXTA, Jade, JoglDemo, Knut, Laboratorio Avanzato di Basi di Dati, MLG, Mors, N/A, One.View 2.4, Open Community Translation Interface, OpenOffice.org Testextensions, PoC - JUnit, PoC - XMLParser, Portocarreiros Company, Prawie Gry, Project CalNum, Repit (moved to google code), Sun Mac Punchin GUI, The Minion Search Engine, Tochka-s site, Um estudo sobre JSF, Vo!zila - Inter Vehicular Communication, club, easyprot, ff_source, ibattle, juntatrocola, myERPortal, proyecto real ice desarrollo, quider, sapdAssignment2, sigavo, springdev, testwebgeoname, trabposdavesbrf, trackandfield Also our project owner field in: http://kenai.com/projects/prawiegry/edit is completly empty. Just yesterday our project was owned by kingpig. http://kenai.com/projects/prawiegry/members Kenai revision 20100226.9e856ee Also if it could help, the only thing that today I done different than our usual use of kenai is that I tried out the kenai json API. UPDATE: I confirmed that this 'anonymous user' started spamming message boards, so it is some kind of hack into the kenai site. http://kenai.com/projects/cti UPDATE2: I confirmed that ANY anonymous (ANY not logged in user) can do ANYTHING on projects where he is the owner, even if perrmissions forbid him to do so. It is a really serious bug. |
Urgent security vulnerability: Anonymous can edit anything on specified projects in Kenai
5 posts
Replies: 4 - Last Post: March 10, 2010 01:58
by: lea_wang
by: lea_wang
showing 1 - 5 of 5
john_brock
|
Posted: March 08, 2010 15:15 by john_brock
|
|
Hi Piotr, You are correct that this a pretty major issue. We have a fix for it and will get it updated shortly. It is not a case of the site being hacked though. The spam in the forums is because those projects chose to allow anonymous users to post to their forums, specifically by changing the permissions for the forums feature. The bug is caused by a project admin who makes changes to the project settings and there is an error returned for one of those settings, the owner is gets set to anonymous. We're taking this seriously and are fixing it very quickly. It took a bit of time to find the cause, but that has been done now. I'll have the projects that are currently owned by anonymous_user cleaned up in about an hour. Thanks for keeping us informed of your findings. The Project Kenai Team |
|
Piotr Sobiech
|
Posted: March 08, 2010 19:28 by Piotr Sobiech
|
Thank you for your hard work  .. i like kenai, and just wanted to keep our work safe .. I hope that kenai won't change much after the conversion to java.net. Thank you once again
|
|
john_brock
|
Posted: March 08, 2010 20:13 by john_brock
|
|
All effected projects (there were 57) have been fixed now. The scope of the bug is very small and can only be triggered by the project owners themselves. We'll have a hot fix out very shortly to completely nail this one shut. Thanks again, --jb The Project Kenai Team |
Replies: 4 - Last Post: March 10, 2010 01:58
by: lea_wang
by: lea_wang
