Menu
▾
▴
#19 Security Bug
Following message I received today:
"The vulnerable file is uupd.inc.php, which
carries out following query: $user_result = db_query("select * from
user where
ID='$user_ID'") or db_die();
pay.php uses following output to create the edit formular: <input
type=hidden name=user_ID value=\&quot;$user_row[0]\&quot;>. Simply changing
the
value in the html file allows to update whatever user profile you
desire to change, including the account's password by creating a
request with a changed user_id
thus it's possible to edit every user profile and log in as the new user.
all recent versions are affected.
greetings,
chris hammerschmidt"
This information is right.
Attached and in CVS is a fixed uupd.inc.php.
Before line with '$user_result ...' an include("./lib.inc.php"); is added.
Greetings,
Andreas.
Fixes described bug
Logged In: YES
user_id=678969
Sorry,
but there is no fixed version of uupd.inc.php in cvs.
I hope only forget to submit it ;-)
Greetings
Logged In: YES
user_id=367331
So please use file attached here ...