What steps will reproduce the problem?
1. Using prefs.php, regular logged in users can add or delete other users by
modifying POST fields in their request header.
2. An attacker could also trick a logged in user to click on a button hosted
elsewhere with the POST data necessary to add or delete a user.
What is the expected output? What do you see instead?
Add/delete user requests should not be accepted from non-admin users (I assume).
Please use labels and text to provide additional information.
I fixed this issue by adding a check "fof_is_admin()" to each sensitive if
statement.
The fix is attached. I've also attached a sample of a form that an attacker
might use to trick a user. Note that this form could be hosted off-site.
Original issue reported on code.google.com by dmazz...@gmail.com on 18 May 2011 at 8:23
Original issue reported on code.google.com by
dmazz...@gmail.com
on 18 May 2011 at 8:23Attachments: