Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted July 19, 200519 yr Just looking at the code in action_admin/member.php, it seems to me that you should verify that the mgroup input value is valid in member_do_add(). I'm not sure, but I think that if you have admin CP access but aren't in the root admin group, you could actually create a root admin user by just avoiding the form and doing the "doadd" URL directly. :devil: Or some other exploit... Maybe I'm missing something, but this just struck me as odd that this field doesn't seem to be checked before updating the DB...
July 19, 200519 yr If you think about it, an exploit like this could be used on all kinds of other settings and options in the ACP, not just adding members.
July 20, 200519 yr Management I have thought about it, which is why it's not really possible to fiddle around with URLs and force actions like this. I only checked the member group ID to make sure it's not the root admin group they're trying to add a member into.
Archived
This topic is now archived and is closed to further replies.