Opened 13 years ago

Closed 13 years ago

#2985 closed defect (worksforme)

Security Hole: Url travseral. Nonadmin can change settings of other users

Reported by: brianlaughlin Owned by: developer
Priority: critical Milestone: 5.0.3
Component: vtigercrm Version: 5.0.3-dev
Severity: Keywords: security
Cc:

Description

A non admin user can point directly to the url https://www.vigerurl.com/index.php?action=DetailView&module=Users&record=1&parenttab=Settings

and change user settings.

Attachments (1)

test1.png (74.2 KB) - added by mangai 13 years ago.
tested image for this issue

Download all attachments as: .zip

Change History (2)

Changed 13 years ago by mangai

tested image for this issue

comment:1 Changed 13 years ago by mangai

  • Resolution set to worksforme
  • Status changed from new to closed

Dear brianlaughlin,

I've test it in online demo of 5.0.3 version. I logged in as standarduser and typed the url that you've given, it displayed the message "you are not permitted."

kindly look into the attached image for info.


Note: See TracTickets for help on using tickets.