Opened 8 years ago

Closed 7 years ago

#3510 closed defect (fixed)

Security: Disabled fields can still be edited by clever user

Reported by: anonymous Owned by: obs
Priority: high Component: BlackMagicTicketTweaksPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11


Though I haven't installed or used your plugin, I was just browsing through the source and it seems that disabled fields are only disabled superficially. In other words, only by adding a disabled attribute to the HTML tag.

A clever user could still submit a new value for the disabled field in the HTTP POST data and change its value. This is a security flaw that is particularly important for projects with anonymous contributors (such as this one :-)).


  • Aamer Abbas

Attachments (0)

Change History (3)

comment:1 Changed 8 years ago by anonymous

  • Severity changed from normal to major

comment:2 Changed 7 years ago by obs

  • Owner changed from ixokai to obs
  • Severity changed from major to critical
  • Trac Release changed from 0.10 to 0.11

comment:3 Changed 7 years ago by obs

  • Resolution set to fixed
  • Status changed from new to closed

(In [7207]) Added ticket validation for disabled and hidden fields, if they are modified by the user (i.e. faking the http post or editing the form with tools such as firebug) an access denied error will be thrown fixes #3510

Add Comment

Modify Ticket

as closed The owner will remain obs.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.