phpns

User can change own rank

Bug #247484 reported by KyleO
256
Affects Status Importance Assigned to Milestone
phpns
Fix Released
Medium
KyleO

Bug Description

Users can change their own rank, elevating themselves to whatever predefined levels available.
This can be done the easy way, but just selecting the current user the client is logged in as, and simply modifying it.
Or, a more elaborate way, is to spoof the post data.

See original description
Tags: rank user
KyleO (k-p-osborn)
description: updated
Revision history for this message
KyleO (k-p-osborn) wrote :

This is fixed in the newest update. Patch released, including all patches, can be found in this zip file- http://kyleosborn.com/phpns/patches/2.2.3.patch.zip
Fix includes disabling rank option list when modifying own user profile, and making a check right before updating the database.

Revision history for this message
KyleO (k-p-osborn) wrote :

This is fixed in the newest update. Patch released, including all patches, can be found in this zip file- http://kyleosborn.com/phpns/patches/2.2.3.patch.zip
Fix includes disabling rank option list when modifying own user profile, and making a check right before updating the database.

Changed in phpns:
assignee: nobody → k-p-osborn
importance: Undecided → Medium
status: New → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.