security breach ? users bypassing the 'pending'-process
Added by inkimar Erlingsson over 7 years ago
I have the following setup :
Environment: Redmine version 3.3.2.stable Ruby version 2.2.7-p470 (2017-03-28) [x86_64-linux] Rails version 4.2.7.1 Environment production Database adapter Mysql2 SCM: Subversion 1.8.10 Mercurial 3.1.2 Bazaar 2.7.0 Git 2.1.4 Filesystem Redmine plugins: redmine_agile 1.4.2
On the 22 and 23 of august I had 2 new registered users , one from bestmailonline.com and the other from mail.ru.
So instead of those users being caught in the 'registered'-zone they were already in the 'active'-zone without anyone of our employees giving them access ?
Is this a security breach with version 3.3.2.stable ?
What are my options right now, is it to remove the 'register'-link or can I patch the system ?
Within the system I can only see one log-file and that is /usr/src/redmine/log/production.log -
can I add some more logging parameters so that the logging will be more fine-tuned and even rotate the log ?
best, i
Replies (3)
RE: security breach ? users bypassing the 'pending'-process - Added by Toshi MARUYAMA over 7 years ago
inkimar Erlingsson wrote:
is it to remove the 'register'-link or can I patch the system ?
Settings -> Authentication -> Self-registration -> disabled
RE: security breach ? users bypassing the 'pending'-process - Added by inkimar Erlingsson over 7 years ago
Thank you for the reply.
This is a great workaround and I have implemented it.
if we go back to the issue, is this an issue in the redmine-system that has found its patch.
because I don't understand how these users got through the 'registered'-zone.
a bug ?
regards, i
RE: security breach ? users bypassing the 'pending'-process - Added by Toshi MARUYAMA over 7 years ago
What was your Self-registration setting?