There are a couple of issues with the editmember page.
Even if not logged in you can view /forum/page/editmember/?id=1234
and retrieve the members personal details. It's easy for someone to
increment the id number and reveal member data.
If you're logged in as front end member you can change another members profile with standard user role.
I’ve botched a work around into the editmember.cshtml view to hide the form.
@if (ServiceFactory.MemberService.CurrentMember() != null)
{
if (ServiceFactory.MemberService.CurrentMember().Id.ToString() == Request.QueryString["id"].ToString())
{
Form Here
}
}
Appreciate this is a FREE package and very thankful for it! Just thought I'd share so you can mitigate this flaw.
Security Flaw in "editmember" View
There are a couple of issues with the editmember page.
I’ve botched a work around into the editmember.cshtml view to hide the form.
Appreciate this is a FREE package and very thankful for it! Just thought I'd share so you can mitigate this flaw.
Thanks, Kyle
is working on a reply...