33163 – Default slide installation exposes all passwords

Bug 33163 - Default slide installation exposes all passwords

Summary: Default slide installation exposes all passwords

Status:	NEW

Alias:	None

Product:	Slide
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Nightly
Hardware:	PC Linux

Importance:	P1 critical (vote)
Target Milestone:	---
Assignee:	Slide Developer List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-01-19 10:36 UTC by Ramon Casha
Modified:	2005-01-19 03:16 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ramon Casha 2005-01-19 10:36:01 UTC

The default installation of slide allows any logged-in user to view the
passwords of all users by examining the properties of /users/xxx.

I think someone needs to go through the initial data set of Slide and make sure
it's more secure, setting the minimal permissions on each folder for the product
to work. I know it's just a sample but showing the password in this way is still
bad - some people might use the initial data set to build their own structure on.

Comment 1 Carlos Villegas 2005-01-19 12:16:07 UTC

Also in the default Domail.xml, write-acl, implied by write, is given to 
everybody in the /files collection. Even though read-acl is given to the owner 
only, anybody can still change the acls of any object in the /files collection.