FINDING ID: iSEC-WMF1214-12
DESCRIPTION: The target links allow unauthenticated users to look up privileges associated with roles,
and the role associated with any existing user. The roles, such as `administrator'' or `steward'', disclose
the list of operations a specific user has permission to perform. An attacker can use this information
to enumerate users with higher privileges and create targeted attacks against them.
SHORT TERM SOLUTION: Do not show the user roles in the list of users to unauthenticated users while
displaying the list of users. Restrict the Global Account information to the privileged users only.
LONG TERM SOLUTION: Make a chart of what parts of user accounts are considered private or pro-
tected, and go through each way of accessing user data and make sure it conforms to specifications.
Perform regression checks to verify that there is no information disclosure which can be useful to the