security issue

A place to discuss and receive support for the Web Auction application.

security issue

Postby cybergenesis » Tue Jan 25, 2011 12:42 am

Hello,
I noticed a security problem. If I am logged in and click "Edit My Profile" on the left hand side, the url link is:
index.php?-action=edit&-table=users&username==admin

If I change "admin" to any other username, I can see their information ( first name, last name etc).
Any suggestion on fix for this? I noticed the My Watch List link does not use this type of GET call, my guess is that it is using sessions. Would it be better to use session in this situation?

Thanks in advance.
cybergenesis
 
Posts: 5
Joined: Thu Jan 13, 2011 7:13 am

Re: security issue

Postby shannah » Tue Jan 25, 2011 12:44 pm

When you are logged in as admin, you have access to everyone's profile. If you are logged in as a regular user you shouldn't be able to see others' profile info.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: security issue

Postby cybergenesis » Sun Jan 30, 2011 11:50 pm

Shannah,
You are correct, I checked the link using a user account and it does not show any other users. Sorry for post and thanks for help.
cybergenesis
 
Posts: 5
Joined: Thu Jan 13, 2011 7:13 am


Return to Web Auction Discussion

Who is online

Users browsing this forum: No registered users and 21 guests

Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved