Uploaded image for project: 'Medici'
  1. Medici
  2. MMDB-422

Backend context should not allow non-admin users to manipulate admin triples

XMLWordPrintableJSON

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 1.0
    • 1.0
    • Web application
    • None

      this is a currently-open security hole that allows an attacker with non-admin credentials to query and manipulate triples with admin predicates, which allows them to grant themselves admin privileges and add/remove users from the system.

      I'm not marking this "blocking" because the attacker would have to already have non-admin credentials before they could attack this way, and the attack requires knowing the Tupelo server endpoint and writing code against the Tupelo client API's and protocols.

              futrelle Joe Futrelle (Inactive)
              futrelle Joe Futrelle (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: