View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010624 | mantisbt | security | public | 2009-06-25 14:32 | 2009-10-07 14:19 |
Reporter | dhx | Assigned To | dhx | ||
Priority | immediate | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0rc1 | ||||
Target Version | 1.2.0rc2 | Fixed in Version | 1.2.0rc2 | ||
Summary | 0010624: Anyone can reset the account preferences of any other user | ||||
Description | account_prefs_reset.php does not perform ANY checks to ensure that the current user is authorised the reset the preferences on the target account. It is currently possible for anonymous users to reset the preferences of any other account that they know the username of (ie. anyone). | ||||
Tags | No tags attached. | ||||