When some elements or modules are inserted in the contend of a page an additional user is created in the additional_users table with user_id=0. This causes the the author_pages() function to return those pages when nobody is logged in. The easyes case to test this is by putting an iframe element in the page. I used: and this caused the problem. The picasa module as well.
Second thing: the records in the additional_users table are not deleted when the page is deleted. This is not a major bug, but worth mentioning.
[solved] Security issue, creation of additional user with user_id=0
[solved] Security issue, creation of additional user with user_id=0
Last edited by bterkuile on Sat Sep 08, 2007 10:20 am, edited 1 time in total.
Re: [solved] Security issue, creation of additional user with user_id=0
I could not reproduce this bug of generating additional users with user_id=0 in CMSMS version 1.1.2, so I consider this one fixed. The deleting of additional users when a page is deleted is still not fixed, but I will add this as a (minor) bug report in the repository. This bug does not influence the working of the system.