Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Cannot Reproduce
-
1.0.0
-
None
-
None
-
Ubuntu server 16.04.3, guacamole git version client and server
Description
Testing last guacamole-client AND guacamole-server git version with TOTP extensions ON and mysql database :
Allow "change own password" for user account allow to modify / delete existing connections
I create a standard user "test" by cloning the default admin account "guacadmin". Then i just check box "change own password" nothing more, all other boxes are blank !
Then i connect through Guacamole with that new user "test" and try to change my password then i realized i was able to see Users and Connections tabs and access them !
While on Users tab, i cannot modified my own user profile (access denied) on connections tab i can modified OR delete existings connections ?!
Then i retry with a new user created WITHOUT a clone of "guacadmin" default account, and this time it's seems to work as expected !
Worth to check that and confirm there's a security issue relating to cloning account vs creating new account ?
Thank you !