search

Letractively / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 0 forks source link

Able to tamper access level values with no validation on server #9

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Edit a permission (either on password or template)
2. Use a tool to tamper the request data when saving before it is sent to 
server, changing the access level to something other than READ/WRITE/GRANT yet 
is still <= 5 characters long.
3. It saves this bogus access level into the database without validating it, 
and creates 

What is the expected output? What do you see instead?
1. The server should validate the access level is a valid one, and throw an 
error and not update the database if it isn't.

Original issue reported on code.google.com by joshdrum...@gmail.com on 4 Dec 2010 at 12:43

GoogleCodeExporter commented 8 years ago

Original comment by joshdrum...@gmail.com on 5 Dec 2010 at 4:43

GoogleCodeExporter commented 8 years ago

Original comment by joshdrum...@gmail.com on 27 Dec 2010 at 8:11