Security advisory: Unauthorized locking in MidCOM

Helia has found a non-critical security issue in MidCOM's form handling datamanager. This issue enabled users that do not have editing permissions to a document to lock it.

The lock is stored when the user tries to edit a document without permissions. The user does not gain actual editing access, although the lock might make it seem like that for the content editors.

The lock looks like the following, and displays the username, IP and the access time by the unauthorized user:

This issue affects all post-1.2 MidCOM versions.

Updated 2005-02-08 10:20 UTC: More detailed information and a patch for the issue can be found in MidCOM bug #185. The patch is also in CVS.