[python-committers] [Infrastructure] [Pydotorg] XSS security issue
R. David Murray
rdmurray at bitdance.com
Mon Jul 15 17:16:32 CEST 2013
On Mon, 15 Jul 2013 08:22:40 -0400, Donald Stufft <donald at stufft.io> wrote:
> So I was able to log in to the "nobody" account without a password
> (Why is this even possible?). It gave me powers to edit users and some
> other shit. I added a password to the nobody account since these lists
> are publicly available and if I can get into that user so can others.
Ah, I didn't realize you could edit users (I thought that was
Coordinator role) or I would have changed the password myself.
> I will make the password available to whoever is in charge, (Or they
> can just change the password themselves I don't care).
I think the user should just be retired. My guess is that it dates from
a time when we were less worried about bad actors coming in and trashing
things just for the fun of it. What I don't know is if there is some
script somewhere depending on it being a valid user. For now, I've
removed its access roles, and we'll see if anything breaks.
--David
More information about the python-committers
mailing list