Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Kyle 24 posts 63 karma points
    Mar 02, 2016 @ 21:48
    Kyle
    0

    Security Flaw in "editmember" View

    There are a couple of issues with the editmember page.

    1. Even if not logged in you can view /forum/page/editmember/?id=1234 and retrieve the members personal details. It's easy for someone to increment the id number and reveal member data.
    2. If you're logged in as front end member you can change another members profile with standard user role.

    I’ve botched a work around into the editmember.cshtml view to hide the form.

    @if (ServiceFactory.MemberService.CurrentMember() != null)
    {
        if (ServiceFactory.MemberService.CurrentMember().Id.ToString() == Request.QueryString["id"].ToString())
    {
    Form Here
    }
    }
    

    Appreciate this is a FREE package and very thankful for it! Just thought I'd share so you can mitigate this flaw.

    Thanks, Kyle

Please Sign in or register to post replies

Write your reply to:

Draft