Bug 138218
| Summary: | security issue: able to create several org admins by submitting the form multiple times | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Max Spevack <mspevack> |
| Component: | Installer | Assignee: | Robin Norwood <robin.norwood> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Max Spevack <mspevack> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 360 | CC: | rhn-bugs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://rhnblade4.rhndev.redhat.com/newlogin/create_satellite.pxt | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-03-22 18:50:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 127673 | ||
|
Description
Max Spevack
2004-11-05 20:04:29 UTC
Fixed in CVS. Test plan: 1) Perform satellite 3.6 install. 2) After creating the first user, return to the 'create_satellite.pxt' page, enter a different username, and click 'commit' again. 3) You should get a 500 error in the browser, and a messae in the /etc/httpd/logs/error_log: Attempt to create satellite user when a user already exists Is that a success? I followed the test plan and I achieve precisely that. Ugly though. We don't generally go out of our way to make things pretty for people who are doing 'funny' things. Using the back button to try to create a second first user counts as 'funny' in my book. Mass move from PROD_READY to CLOSED:CURRENTRELEASE |