Re: [python-committers] [Infrastructure] [Pydotorg] XSS security issue
On Mon, 15 Jul 2013 08:22:40 -0400, Donald Stufft donald@stufft.io wrote:
So I was able to log in to the "nobody" account without a password (Why is this even possible?). It gave me powers to edit users and some other shit. I added a password to the nobody account since these lists are publicly available and if I can get into that user so can others.
Ah, I didn't realize you could edit users (I thought that was Coordinator role) or I would have changed the password myself.
I will make the password available to whoever is in charge, (Or they can just change the password themselves I don't care).
I think the user should just be retired. My guess is that it dates from a time when we were less worried about bad actors coming in and trashing things just for the fun of it. What I don't know is if there is some script somewhere depending on it being a valid user. For now, I've removed its access roles, and we'll see if anything breaks.
--David
participants (3)
-
Antoine Pitrou
-
R. David Murray
-
Ronald Oussoren