Bug 163259 - Prevent invalid channel and server group permissions
Prevent invalid channel and server group permissions
Product: Red Hat Network
Classification: Red Hat
Component: RHN/R&D (Show other bugs)
RHN Devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ken Ganong
Michael Bowman
Depends On:
Blocks: 147875
  Show dependency treegraph
Reported: 2005-07-14 11:30 EDT by Ken Ganong
Modified: 2007-04-18 13:29 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHN 4.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-31 22:36:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ken Ganong 2005-07-14 11:30:08 EDT
Someone can currently modify the POST request on the Channel Permissions and
Assigned Server Groups pages under User Details to include channels or server
groups managed by a different org and have their changes persist to the database.

Prevent persisting of invalid data with regards to user channel permissions and
user assigned server groups.

1. Login->go to Users->click a User->Channel Permissions
2. Right click and save source.
3. Modify the POST form to point to the correct domain (ex. /rhn/users ->
4. Add within the form tag a cid and selectedChannel from a different org.
    ex.(    <input type="checkbox" name="selectedChannels" value="4211" />
            <input type='hidden' name="cid" value="4211" /> )
5. Browse to the page on your harddrive using a web browser.
6. Select the checkbox that shouldn't be there.
7. Click the button to submit the form.
8. See that the user's channel perms include the invalid channel:
Select * from rhnUserChannel where user_id = :uid and channel_id = :cid

For server group permissions, do the same as above with the following changes.
1. Login->go to Users->click a User->System Groups
4. <input type="checkbox" name="selectedGroups" value="4635208" />
   <input type="hidden" name="cid" value="4635208" />
8. See that the user's server group perms include the invalid group:
Select * from rhnUserManagedServerGroups where user_id = :uid and
server_group_id = :sgid
Comment 1 Michael Bowman 2005-08-01 11:16:59 EDT
These holes are fixed on QA.

Note You need to log in before you can comment on or make changes to this bug.