0010889: Anonymous users can modify account preferences and columns

ID	Project	Category	View Status	Date Submitted	Last Update
0010889	mantisbt	security	public	2009-08-31 06:10	2013-07-17 10:30

Reporter	dhx	Assigned To	dhx
Priority	immediate	Severity	block	Reproducibility	N/A
Status	closed	Resolution	fixed
Product Version	git trunk
Target Version	1.2.0rc2	Fixed in Version	1.2.0rc2

Summary	0010889: Anonymous users can modify account preferences and columns
Description	Anonymous users can currently see all the account_* pages and are not stopped from making changes to their account preferences. The 'protected' flag on accounts should not just only apply to the email/password settings for an account, but to all other settings too.
Tags	No tags attached.

dhx 2009-08-31 06:27 reporter ~0022829	All fixed now. Thanks to paul for finding this one.

dhx 2009-08-31 06:47 reporter ~0022830	If an installation of MantisBT allows users to delete their own accounts, this bug would let anyone delete the anonymous account, locking out everyone else. It is also possible for anyone to turn off all columns or change them around at will (for anonymous users). Therefore I consider this a fairly severe security vulnerability. And it's my fault too :(

MantisBT: master-1.2.x 191b5c96 2009-08-31 06:23 dhx Details Diff	Fix 0010889: user_is_protected() incorrect logic for anon accounts Commit 3803c90c340dd20a0736af381fe50bfd3cfa838d introduced a bug whereby the anonymous account would never be considered protected. This was due to inversed/invalid logic. How embarrassing!	Affected Issues 0010889
	mod - core/user_api.php	Diff File
MantisBT: master 7b794dfc 2009-08-31 06:23 dhx Details Diff	Fix 0010889: user_is_protected() incorrect logic for anon accounts Commit 3803c90c340dd20a0736af381fe50bfd3cfa838d introduced a bug whereby the anonymous account would never be considered protected. This was due to inversed/invalid logic. How embarrassing!	Affected Issues 0010889
	mod - core/user_api.php	Diff File