K. T. Walrus Posted July 19, 2005 Share Posted July 19, 2005 Just looking at the code in action_admin/member.php, it seems to me that you should verify that the mgroup input value is valid in member_do_add(). I'm not sure, but I think that if you have admin CP access but aren't in the root admin group, you could actually create a root admin user by just avoiding the form and doing the "doadd" URL directly. :devil: Or some other exploit... Maybe I'm missing something, but this just struck me as odd that this field doesn't seem to be checked before updating the DB... Link to comment Share on other sites More sharing options...
Management Matt Posted July 19, 2005 Management Share Posted July 19, 2005 This is not a bug in IPB but is more of a feature suggestion. Link to comment Share on other sites More sharing options...
Management Matt Posted July 19, 2005 Management Share Posted July 19, 2005 Added checks into IPB 2.1.0 B4. Link to comment Share on other sites More sharing options...
Logan Posted July 19, 2005 Share Posted July 19, 2005 If you think about it, an exploit like this could be used on all kinds of other settings and options in the ACP, not just adding members. Link to comment Share on other sites More sharing options...
Management Matt Posted July 20, 2005 Management Share Posted July 20, 2005 I have thought about it, which is why it's not really possible to fiddle around with URLs and force actions like this. I only checked the member group ID to make sure it's not the root admin group they're trying to add a member into. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.