Issue Information
-
#000005
Issue Confirmations
-
Yes (0)No (0)
0
Security bug fix: EDIT/DELETE RULE 1 - ADMINISTRATOR
Posted by
Dean
on 07 August 2009 - 03:43 PM
Users with editing privileges rules may Edit Rule 01 - administrator. Access url: http://www.yoursite....index.php?id=1;a=35
Solution
file: manager/actions/dynamic/mutate_role.dynamic.action.php
place the code after - line 16
...
$role = $_REQUEST['id'];
if($role=="") $role=0;
ADD
// Alfabetto - Security bug fix: EDIT/DELETE RULE 1 - ADMINISTRATOR
// block a user edit rule 1 - admintrator
if($role==1) {
$e->setError(3);
$e->dumpError();
}
// Alfabetto - Security bug fix: EDIT/DELETE RULE 1 - ADMINISTRATOR
Steps to Reproduce
Loged - Users with editing privileges rules
Access url: http://www.yoursite....index.php?id=1;a=35
edit and save
Submitted By: alfabetto
Solution
file: manager/actions/dynamic/mutate_role.dynamic.action.php
place the code after - line 16
...
$role = $_REQUEST['id'];
if($role=="") $role=0;
ADD
// Alfabetto - Security bug fix: EDIT/DELETE RULE 1 - ADMINISTRATOR
// block a user edit rule 1 - admintrator
if($role==1) {
$e->setError(3);
$e->dumpError();
}
// Alfabetto - Security bug fix: EDIT/DELETE RULE 1 - ADMINISTRATOR
Steps to Reproduce
Loged - Users with editing privileges rules
Access url: http://www.yoursite....index.php?id=1;a=35
edit and save
Submitted By: alfabetto
0 user(s) are reading this issue
0 members, 0 guests, 0 anonymous users
