[ic] Security problem?
Mike Heins
interchange-users@interchange.redhat.com
Mon Jan 28 10:57:00 2002
Quoting Jurgen Botz (jurgen@botz.org):
> Hmm, it just occured to me that users can apparently update arbitrary
> fields in the userdb by saving any form page and adding input fields
> corresponding to column names in the userdb. This will set IC values
> and is the userdb is later saved will update any such fields. I just
> tried it and it seems to work.
By definition, they must be able to do that to update their name,
address, etc. There is no difference between an HTML form and
an arbitrary query string.
>
> Is there a way of preventhing this or is it just that by design you're
> not supposed to put anything in the userdb that you want to prevent
> people from updating?
> I note that the foundation userdb has some
> fields that it would appear the user should not be able to set, i.e.
> "dealer".
Yes, that is why:
UserDB default scratch "dealer credit_limit"
is in the foundation setup. It routes those to $Scratch instead
of $Values, which cannot be manipulated directly.
--
Red Hat, Inc., (emailing wirelessly from my laptop, on Perl Whirl
in the Caribbean Ocean) Geek Cruises (www.GeekCruises.com)
phone +1.513.523.7621 fax 7501 <mheins@redhat.com>
Be patient. God isn't finished with me yet. -- unknown