mugle-dev team mailing list archive
-
mugle-dev team
-
Mailing list archive
-
Message #00362
[Bug 787328] [NEW] Users can create GameVersions in other people's Games
*** This bug is a security vulnerability ***
Private security bug reported:
I haven't tested this, but it seems that a malicious user can craft a
GameVersion in another person's Game. This is because the
GameVersionData.setGame field is writable if you own the GameVersion.
That means you can have a GameVersion point to someone else's game.
Note: I had to make this writable in r376 or users would not be able to
create GameVersions in their own Games.
** Affects: mugle
Importance: High
Status: New
** Tags: permissions
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/787328
Title:
Users can create GameVersions in other people's Games
Status in Melbourne University Game-based Learning Environment:
New
Bug description:
I haven't tested this, but it seems that a malicious user can craft a
GameVersion in another person's Game. This is because the
GameVersionData.setGame field is writable if you own the GameVersion.
That means you can have a GameVersion point to someone else's game.
Note: I had to make this writable in r376 or users would not be able
to create GameVersions in their own Games.
Follow ups
References