[opencms-dev] Security bug (or design flaw) with Account Manager role

Arash Kaffamanesh arash.kaffamanesh at pomegranate.de
Sat Feb 23 09:25:29 CET 2008


hi,

this issue has been resolved in CVS Head as Michael Moossen wrote this 
week and will be available in OpenCms 7.0.4 in short.
You have to upgrade to Head or wait for OpenCms 7.0.4.

Kind Regards,
Arash


John Weible schrieb:
> As our OpenCms installation grows, we're now needing to delegate more 
> things to a broader set of staff.  One of those things is we need to 
> enable some folks to do basic user management (specifically 
> adding/removing users from groups). 
>
> We're currently on 7.0.1.  So I tried granting the "Account Manager" 
> role to a couple of our NON-ADMINISTRATOR users.  This, as expected, 
> then allows them to add and remove groups for users.  The system also 
> correctly figures out that since they are not themselves "Root 
> Administrators", they are disallowed from promoting accounts to be 
> Administrators.
>
> The fatal flaw is that the system does NOT prevent them from changing 
> any Administrator's account password. 
>
> Is there some different way to configure the system to delegate this 
> ability without introducing such a compromise?
>
>   





More information about the opencms-dev mailing list