security flaw in editmember view - General - our.umbraco.com

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Kyle 24 posts 63 karma points

Mar 02, 2016 @ 21:48
0

Security Flaw in "editmember" View

General

Umbraco 7
There are a couple of issues with the editmember page.
1. Even if not logged in you can view /forum/page/editmember/?id=1234 and retrieve the members personal details. It's easy for someone to increment the id number and reveal member data.
2. If you're logged in as front end member you can change another members profile with standard user role.
I’ve botched a work around into the editmember.cshtml view to hide the form.
```
@if (ServiceFactory.MemberService.CurrentMember() != null)
{
    if (ServiceFactory.MemberService.CurrentMember().Id.ToString() == Request.QueryString["id"].ToString())
{
Form Here
}
}
```
Appreciate this is a FREE package and very thankful for it! Just thought I'd share so you can mitigate this flaw.

Thanks, Kyle
Copy Link
is working on a reply...

Please Sign in or register to post replies

Write your reply to:

Editor

Preview

Draft