Project

General

Profile

security breach ? users bypassing the 'pending'-process

Added by inkimar Erlingsson over 6 years ago

I have the following setup :

Environment:
  Redmine version                3.3.2.stable
  Ruby version                   2.2.7-p470 (2017-03-28) [x86_64-linux]
  Rails version                  4.2.7.1
  Environment                    production
  Database adapter               Mysql2
SCM:
  Subversion                     1.8.10
  Mercurial                      3.1.2
  Bazaar                         2.7.0
  Git                            2.1.4
  Filesystem                     
Redmine plugins:
  redmine_agile                  1.4.2

On the 22 and 23 of august I had 2 new registered users , one from bestmailonline.com and the other from mail.ru.
So instead of those users being caught in the 'registered'-zone they were already in the 'active'-zone without anyone of our employees giving them access ?
Is this a security breach with version 3.3.2.stable ?
What are my options right now, is it to remove the 'register'-link or can I patch the system ?
Within the system I can only see one log-file and that is /usr/src/redmine/log/production.log -
can I add some more logging parameters so that the logging will be more fine-tuned and even rotate the log ?

best, i


Replies (3)

RE: security breach ? users bypassing the 'pending'-process - Added by Toshi MARUYAMA over 6 years ago

inkimar Erlingsson wrote:

is it to remove the 'register'-link or can I patch the system ?

Settings -> Authentication -> Self-registration -> disabled

RE: security breach ? users bypassing the 'pending'-process - Added by inkimar Erlingsson over 6 years ago

Thank you for the reply.
This is a great workaround and I have implemented it.

if we go back to the issue, is this an issue in the redmine-system that has found its patch.
because I don't understand how these users got through the 'registered'-zone.

a bug ?

regards, i

RE: security breach ? users bypassing the 'pending'-process - Added by Toshi MARUYAMA over 6 years ago

What was your Self-registration setting?

    (1-3/3)