This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
FS#825 Privilege Escalation in Profile Update
Andreas Åkre Solberg discovered a security flaw which allows registered users to view page content they usually have no access to. The problem is in the way how a successful user profile change is handled.
This affects only users who have Access Control Lists enabled (off by default) and restricted the READ permission for certain pages even for logged in users. Non-authenticated users can not exploit this bug.
To fix the problem manually add the following line before the "call template" comment line (around line 102) in inc/action.php :
$ACT = act_permcheck($ACT);
This rechecks all ACLs a second time before the template is called, avoiding similar problems in the future.
The downloadable package of release 2006-03-09 was updated to incorporate the fix (-> 2006-03-09b)