Jump to content

Should verify mgroup in member_do_add()

Guest K. T. Walrus

Recommended Posts

Just looking at the code in action_admin/member.php, it seems to me that you should verify that the mgroup input value is valid in member_do_add().

I'm not sure, but I think that if you have admin CP access but aren't in the root admin group, you could actually create a root admin user by just avoiding the form and doing the "doadd" URL directly. :devil:

Or some other exploit...

Maybe I'm missing something, but this just struck me as odd that this field doesn't seem to be checked before updating the DB...

Link to comment
Share on other sites

  • Management

I have thought about it, which is why it's not really possible to fiddle around with URLs and force actions like this.

I only checked the member group ID to make sure it's not the root admin group they're trying to add a member into.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...