[python-committers] [Infrastructure] [Pydotorg] XSS security issue
R. David Murray
rdmurray at bitdance.com
Mon Jul 15 17:16:32 CEST 2013
More information about the python-committers mailing list
Mon Jul 15 17:16:32 CEST 2013
- Previous message: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
- Next message: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 15 Jul 2013 08:22:40 -0400, Donald Stufft <donald at stufft.io> wrote: > So I was able to log in to the "nobody" account without a password > (Why is this even possible?). It gave me powers to edit users and some > other shit. I added a password to the nobody account since these lists > are publicly available and if I can get into that user so can others. Ah, I didn't realize you could edit users (I thought that was Coordinator role) or I would have changed the password myself. > I will make the password available to whoever is in charge, (Or they > can just change the password themselves I don't care). I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks. --David
- Previous message: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
- Next message: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the python-committers mailing list