Red Hat Bugzilla – Bug 163259
Prevent invalid channel and server group permissions
Last modified: 2007-04-18 13:29:20 EDT
Someone can currently modify the POST request on the Channel Permissions and
Assigned Server Groups pages under User Details to include channels or server
groups managed by a different org and have their changes persist to the database.
Prevent persisting of invalid data with regards to user channel permissions and
user assigned server groups.
1. Login->go to Users->click a User->Channel Permissions
2. Right click and save source.
3. Modify the POST form to point to the correct domain (ex. /rhn/users ->
4. Add within the form tag a cid and selectedChannel from a different org.
ex.( <input type="checkbox" name="selectedChannels" value="4211" />
<input type='hidden' name="cid" value="4211" /> )
5. Browse to the page on your harddrive using a web browser.
6. Select the checkbox that shouldn't be there.
7. Click the button to submit the form.
8. See that the user's channel perms include the invalid channel:
Select * from rhnUserChannel where user_id = :uid and channel_id = :cid
For server group permissions, do the same as above with the following changes.
1. Login->go to Users->click a User->System Groups
4. <input type="checkbox" name="selectedGroups" value="4635208" />
<input type="hidden" name="cid" value="4635208" />
8. See that the user's server group perms include the invalid group:
Select * from rhnUserManagedServerGroups where user_id = :uid and
server_group_id = :sgid
These holes are fixed on QA.