Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon1.gif   Exploit Browser Tabs to Make Anonymous Entries, posted by Alan Stone on Wed Jul 30 19:54:28 2008 
    icon2.gif   Re: Exploit Browser Tabs to Make Anonymous Entries, posted by Stefan Ritt on Thu Jul 31 09:25:01 2008 
Message ID: 65937     Entry time: Wed Jul 30 19:54:28 2008     Reply to this: 65938
Icon: Entry  Author: Alan Stone  Author Email: alstone@fnal.gov 
Category: Bug report  OS: Linux  ELOG Version: 2.7.4-2113 
Subject: Exploit Browser Tabs to Make Anonymous Entries 

One of my shifters just managed to make an anonymous logbook entry even though the Author attribute is required.

It turns out that he had two tabs in his browser opened/logged into the Elog.  He logged out in one tab only.   Then he

did some other work on the desktop.  Then he returned to the browser to make a new logbook entry, finding the tab which

still showed the logged in menu, including the link for "New".  The Shifer is on day two, so he did not give any special

notice to seeing Anonymous in the Author field instead of his name.  He did point it out when I came in, and noted that

no warning was given about making an anonymous entry.

 

I tested the same scenario myself.  One cannot preview an anonymous entry (when Author field is a required attribute).

A warning is given.  However, one can submit the anonymous entry, and no warning is given.

Alan

ELOG V3.1.5-fe60aaf