search

minutils / feed-on-feeds

Released in 2003, saw the rise and fall of Google Reader, reached perfection in 2011
http://feedonfeeds.com/
GNU General Public License v2.0
14 stars 9 forks source link

Users can add/delete other users, or be tricked into doing so. #70

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Using prefs.php, regular logged in users can add or delete other users by 
modifying POST fields in their request header.
2. An attacker could also trick a logged in user to click on a button hosted 
elsewhere with the POST data necessary to add or delete a user.

What is the expected output? What do you see instead?
Add/delete user requests should not be accepted from non-admin users (I assume).

Please use labels and text to provide additional information.
I fixed this issue by adding a check "fof_is_admin()" to each sensitive if 
statement.
The fix is attached. I've also attached a sample of a form that an attacker 
might use to trick a user. Note that this form could be hosted off-site.

Original issue reported on code.google.com by dmazz...@gmail.com on 18 May 2011 at 8:23

Attachments:

GoogleCodeExporter commented 9 years ago 
Thanks, I will apply your change.

Original comment by stevemin...@gmail.com on 22 May 2011 at 5:50