[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

[ic] Security problem?

Subject: [ic] Security problem?
From: interchange-users@interchange.redhat.com (Jurgen Botz)
Date: Sun Jan 27 13:49:01 2002

Hmm, it just occured to me that users can apparently update arbitrary
fields in the userdb by saving any form page and adding input fields
corresponding to column names in the userdb.  This will set IC values
and is the userdb is later saved will update any such fields.  I just
tried it and it seems to work.

Is there a way of preventhing this or is it just that by design you're
not supposed to put anything in the userdb that you want to prevent 
people from updating?  I note that the foundation userdb has some 
fields that it would appear the user should not be able to set, i.e.
"dealer".

Am I missing something?

:j


-- 
Jürgen Botz                       | While differing widely in the various
jurgen@botz.org                   | little bits we know, in our infinite
                                  | ignorance we are all equal. -Karl Popper

Follow-Ups:
- [ic] Security problem?
  - From: interchange-users@interchange.redhat.com (Mike Heins)

Prev by Date: [ic] Payment Processing
Next by Date: [ic] Where is the credit-card number stored in interchange DB?
Previous by thread: [ic] Payment Processing
Next by thread: [ic] Security problem?
Index(es):
- Date
- Thread