Jump to content

Should verify mgroup in member_do_add()


Guest K. T. Walrus

Recommended Posts

Posted

Just looking at the code in action_admin/member.php, it seems to me that you should verify that the mgroup input value is valid in member_do_add().

I'm not sure, but I think that if you have admin CP access but aren't in the root admin group, you could actually create a root admin user by just avoiding the form and doing the "doadd" URL directly. :devil:

Or some other exploit...

Maybe I'm missing something, but this just struck me as odd that this field doesn't seem to be checked before updating the DB...

Posted

If you think about it, an exploit like this could be used on all kinds of other settings and options in the ACP, not just adding members.

  • Management
Posted

I have thought about it, which is why it's not really possible to fiddle around with URLs and force actions like this.

I only checked the member group ID to make sure it's not the root admin group they're trying to add a member into.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...