Private Message Attachments Security Problem |
|||
|---|---|---|---|
| Date: | 03/16/2008 | Show-stopper?: | |
| Status: | Bug Squashed | Reporter: | quicksketch |
| Reported in Version: | EE 1.6.2 | Assigned To: | Not Assigned |
| Keywords: | Membership, Private Messaging, Control Panel, My Account, | ||
| Support Thread: | |||
Details
This security issue borders either on SQL injection or File manipulation. It allows any use that can send private messages with attachments to delete attachments of any other private message in the system.
To reproduce:
- Go to CP -> My Account -> Private Messages -> Compose New Message
- Fill in a title and body
- Select a file to attach
- Hit Preview Message
- Open Firebug, inspect the Remove button next to your new attachment.
- Change the value on the button from remove[x] to any attachment ID and click the button.
- Any attachment you specify on the site will be deleted.
Comment on Bug Report
| Posted by: Paul Burdick on 16 March 2008 6:14pm | |
|
[ Permalink ]
Actually, it is neither as there is no way to modify the query and the file is not really being maliciously modified. It is a possibly annoying problem and I would definitely consider it a serious bug. Not a security one as the system is not compromised. |
| Posted by: quicksketch on 16 March 2008 6:20pm | |
|
[ Permalink ]
Thanks. I agree the SQL query isn’t being modified, but it does allow a user to delete attachments of other users, which I’d say is a security issue when users are allowed to delete files to which they shouldn’t have access. |