from Hacker News

SECUREDROP = 0.3 – Possible Backdoor and Privileges Escalation by Unauth User

by jmedwards on 4/1/15, 8:33 PM with 1 comments

• by fabulist on 4/1/15, 10:25 PM

  Relevant portion of the rant:

      File /securedrop/journalist.py, lines 125-128, missing @admin_required
      decorator
      125 @app.route('/admin/add', methods=3D('GET', 'POST'))
      126 def admin_add_user():
      127     # TODO: process form submission
      128     return render_template("admin_add_user.html")
  

  Ouch!