[Vtigercrm-commits] [vtiger development] #7714: Any user can change any field data on other user (except for the password), Even eliminate the admin privileges to the user Admin
vtiger development
vtiger-tickets at trac.vtiger.com
Wed Jul 24 08:02:54 UTC 2013
#7714: Any user can change any field data on other user (except for the password),
Even eliminate the admin privileges to the user Admin
--------------------------+----------------------------------
Reporter: juanpablojp1 | Owner: developer
Type: defect | Status: new
Priority: minor | Milestone: 6.0.0
Component: vtigercrm | Version:
Severity: Medium | Keywords: privilege escalation
--------------------------+----------------------------------
When a user is on the system and make some changes any data field via "My
Preferences" a AJAX request is send to index.php and depending on the
field, the body of that POST message is as follows(e.g. First Name):
{{{
value=My+Name&field=first_name&record=5&module=Users&action=SaveAjax
}}}
Any user could changes that body message and make changes that shouldn't
be able to, then the most critical:
* Becoming admin:
{{{
value=on&field=is_admin&record=5&module=Users&action=SaveAjax
}}}
* Eliminate the admin privileges to the user Admin:
{{{
value=off&field=is_admin&record=1&module=Users&action=SaveAjax
}}}
--
Ticket URL: <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7714>
vtiger development <http://trac.vtiger.com/>
vtiger CRM
More information about the vtigercrm-commits
mailing list