Guest K. T. Walrus
July 19, 2005 in Feedback
Just looking at the code in action_admin/member.php, it seems to me that you should verify that the mgroup input value is valid in member_do_add().
I'm not sure, but I think that if you have admin CP access but aren't in the root admin group, you could actually create a root admin user by just avoiding the form and doing the "doadd" URL directly. :devil:
Or some other exploit...
Maybe I'm missing something, but this just struck me as odd that this field doesn't seem to be checked before updating the DB...
This is not a bug in IPB but is more of a feature suggestion.
Added checks into IPB 2.1.0 B4.
If you think about it, an exploit like this could be used on all kinds of other settings and options in the ACP, not just adding members.
I have thought about it, which is why it's not really possible to fiddle around with URLs and force actions like this.
I only checked the member group ID to make sure it's not the root admin group they're trying to add a member into.
This topic is now archived and is closed to further replies.
Started 56 minutes ago
Started 1 hour ago