Security: Disabled fields can still be edited by clever user
|Reported by:||anonymous||Owned by:||obs|
Though I haven't installed or used your plugin, I was just browsing through the source and it seems that disabled fields are only disabled superficially. In other words, only by adding a disabled attribute to the HTML tag.
A clever user could still submit a new value for the disabled field in the HTTP POST data and change its value. This is a security flaw that is particularly important for projects with anonymous contributors (such as this one :-)).
- Aamer Abbas
Change History (3)
comment:2 Changed 7 years ago by obs
- Owner changed from ixokai to obs
- Severity changed from major to critical
- Trac Release changed from 0.10 to 0.11