Modify

Opened 9 years ago

Closed 8 years ago

#3510 closed defect (fixed)

Security: Disabled fields can still be edited by clever user

Reported by: anonymous Owned by: obs
Priority: high Component: BlackMagicTicketTweaksPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

Though I haven't installed or used your plugin, I was just browsing through the source and it seems that disabled fields are only disabled superficially. In other words, only by adding a disabled attribute to the HTML tag.

A clever user could still submit a new value for the disabled field in the HTTP POST data and change its value. This is a security flaw that is particularly important for projects with anonymous contributors (such as this one :-)).

Thanks,

  • Aamer Abbas

Attachments (0)

Change History (3)

comment:1 Changed 9 years ago by anonymous

Severity: normalmajor

comment:2 Changed 8 years ago by obs

Owner: changed from Stephen Hansen to obs
Severity: majorcritical
Trac Release: 0.100.11

comment:3 Changed 8 years ago by obs

Resolution: fixed
Status: newclosed

(In [7207]) Added ticket validation for disabled and hidden fields, if they are modified by the user (i.e. faking the http post or editing the form with tools such as firebug) an access denied error will be thrown fixes #3510

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain obs.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.