Anybody can use anybody's SID with no consequences
Bug #244668 reported by
Pietry
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eHub |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
I can use user commands to send a message like BMSG somesid message, where somesid can be some operator's SID. In this case, I can talk in anybody's name, but even more, I can even take all the hub commands. This is an extreme security vulnerability.
To post a comment you must log in.
Duplicated: https:/ /bugs.launchpad .net/ehub/ +bug/244592