search

ckrintz / appscale

Automatically exported from code.google.com/p/appscale
0 stars 0 forks source link

Login cookie can be exploited to become admin on other applications #119

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Once a user is logged in, they are given a cookie of the following form:

email:nickname:is_admin:hash

Google AppEngine apps then know if the user is an administrator on their
application via the third field. However, this field is simply true or
false, so if a user is an administrator on one application, they
effectively are administrators on all applications. Need to rework the
cookie and AppServer to address this problem.

Original issue reported on code.google.com by shattere...@gmail.com on 23 Nov 2009 at 6:58

GoogleCodeExporter commented 9 years ago 
Fixed and tested with Python AppServer. Java AppServer has been changed to 
match this
logic but has not been verified yet.

Original comment by shattere...@gmail.com on 30 Nov 2009 at 6:28

GoogleCodeExporter commented 9 years ago 
Tested and working for Java AppServer. Problem was due to a different bug in 
how we
set the new cookie, opened as bug 122
(http://code.google.com/p/appscale/issues/detail?id=122)

Original comment by shattere...@gmail.com on 30 Nov 2009 at 6:44