Page 1 of 1

security issue

PostPosted: Tue Jan 25, 2011 12:42 am
by cybergenesis
Hello,
I noticed a security problem. If I am logged in and click "Edit My Profile" on the left hand side, the url link is:
index.php?-action=edit&-table=users&username==admin

If I change "admin" to any other username, I can see their information ( first name, last name etc).
Any suggestion on fix for this? I noticed the My Watch List link does not use this type of GET call, my guess is that it is using sessions. Would it be better to use session in this situation?

Thanks in advance.

Re: security issue

PostPosted: Tue Jan 25, 2011 12:44 pm
by shannah
When you are logged in as admin, you have access to everyone's profile. If you are logged in as a regular user you shouldn't be able to see others' profile info.

Re: security issue

PostPosted: Sun Jan 30, 2011 11:50 pm
by cybergenesis
Shannah,
You are correct, I checked the link using a user account and it does not show any other users. Sorry for post and thanks for help.