ELOG

Demo Discussion

Forum Config Examples Contributions Vulnerabilities

Discussion forum about ELOG

Not logged in

Back | Find | Login | Help

Exploit Browser Tabs to Make Anonymous Entries, posted by Alan Stone on Wed Jul 30 19:54:28 2008

Re: Exploit Browser Tabs to Make Anonymous Entries, posted by Stefan Ritt on Thu Jul 31 09:25:01 2008

Message ID: 65938 Entry time: Thu Jul 31 09:25:01 2008 In reply to: 65937

Icon:

Author:

Stefan Ritt

Author Email:

stefan.ritt@psi.ch

Category:

Bug report

OS:

Linux

ELOG Version:

2.7.4-2113

Subject:

Re: Exploit Browser Tabs to Make Anonymous Entries

Alan Stone wrote:

One of my shifters just managed to make an anonymous logbook entry even though the Author attribute is required.

It turns out that he had two tabs in his browser opened/logged into the Elog. He logged out in one tab only. Then he

did some other work on the desktop. Then he returned to the browser to make a new logbook entry, finding the tab which

still showed the logged in menu, including the link for "New". The Shifer is on day two, so he did not give any special

notice to seeing Anonymous in the Author field instead of his name. He did point it out when I came in, and noted that

no warning was given about making an anonymous entry.

I tested the same scenario myself. One cannot preview an anonymous entry (when Author field is a required attribute).

A warning is given. However, one can submit the anonymous entry, and no warning is given.

What configuration do you use? I tried to reproduce your problem with a "minimal" configuration like

[demo]
Attributes = Author, Subject
Preset Author = $long_name
Locked Attributes = Author

When I log out from the second browser tab and click on "New" on the first browser tab, I am shown the login page, not the new entry page. I guess your "menu commands" and "guest menu commands" allow non-logged in users to issue a "New" command. Try removing that.

Stefan

ELOG V3.1.5-fe60aaf