Opened 17 years ago
Closed 17 years ago
#451 closed Defect (fixed)
Security risk - merge computers by name
| Reported by: | Richard Haselgrove | Owned by: | davea |
|---|---|---|---|
| Priority: | Major | Milestone: | Undetermined |
| Component: | Web - Project | Version: | |
| Keywords: | merge | Cc: | Ageless |
Description
I just noticed this new feature. It appeared as
10/24/07 [13945] Add "merge computers by name" feature
on the ServerUpdates list.
Security Risk - you can now apparently merge computers belonging to other people: the link appears on all users' hosts lists, not just the current logged-in user's.
Change History (5)
comment:1 Changed 17 years ago by
| Owner: | changed from Rytis to davea |
|---|
comment:3 Changed 17 years ago by
| Cc: | Ageless added |
|---|
comment:4 Changed 17 years ago by
| Component: | Server - Web - Forums → Server - Web - Project |
|---|---|
| Priority: | Critical → Major |
Clicking "merge computers by name" on somebody else's computer list merges your computers anyway. So there is no security risk, just confusing links. Lowering priority.
Note: See
TracTickets for help on using
tickets.
I tested it out on Einstein. Picked just anyone's computers to view and the merge computers on name option was there at the bottom. Clicking it and clicking Go ahead on the next link tried to merge my own computers though.
But even then, the option shouldn't be available on everyone's computer lists that we view. Only on our own list.