Page 1 of 1

[solved] Security issue, creation of additional user with user_id=0

Posted: Fri Aug 31, 2007 12:34 pm
by bterkuile
When some elements or modules are inserted in the contend of a page an additional user is created in the additional_users table with user_id=0. This causes the the author_pages() function to return those pages when nobody is logged in. The easyes case to test this is by putting an iframe element in the page. I used: and this caused the problem. The picasa module as well.

Second thing: the records in the additional_users table are not deleted when the page is deleted. This is not a major bug, but worth mentioning.

Re: [solved] Security issue, creation of additional user with user_id=0

Posted: Sat Sep 08, 2007 10:23 am
by bterkuile
I could not reproduce this bug of generating additional users with user_id=0 in CMSMS version 1.1.2, so I consider this one fixed. The deleting of additional users when a page is deleted is still not fixed, but I will add this as a (minor) bug report in the repository. This bug does not influence the working of the system.