Context Navigation

← Previous Ticket
Next Ticket →

#2985 closed defect (worksforme)

Security Hole: Url travseral. Nonadmin can change settings of other users

Reported by:	brianlaughlin	Owned by:	developer
Priority:	critical	Milestone:	5.0.3
Component:	vtigercrm	Version:	5.0.3-dev
Severity:		Keywords:	security
Cc:

Description

A non admin user can point directly to the url https://www.vigerurl.com/index.php?action=DetailView&module=Users&record=1&parenttab=Settings

and change user settings.

Attachments (1)

test1.png (74.2 KB) - added by mangai 13 years ago.: tested image for this issue

Download all attachments as: .zip

Change History (2)

Changed 13 years ago by mangai

Attachment test1.png added

tested image for this issue

comment:1 Changed 13 years ago by mangai

Resolution set to worksforme
Status changed from new to closed

Dear brianlaughlin,

I've test it in online demo of 5.0.3 version. I logged in as standarduser and typed the url that you've given, it displayed the message "you are not permitted."

kindly look into the attached image for info.

Note: See TracTickets for help on using tickets.

Download in other formats: