CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM (Moderator: Dave Greenberg) »
  • Security bug in search results?
Pages: [1]

Author Topic: Security bug in search results?  (Read 1542 times)

sykong

  • Guest
Security bug in search results?
June 21, 2009, 05:12:46 am
I have civicrm 2.2.6 installed as a component in Joomla. I have a default profile set and I am using it to create, edit and search profile.

I found that if "Include profile edit links in search results?" is enabled, I can edit all contacts. Even if I am not logged in, I can get the listing via the url http://joomla_url/component/civicrm/?task=civicrm%2Fprofile&force=1&gid=1 and from there edit any contact that is listed.

sykong

  • Guest
Re: Security bug in search results?
June 21, 2009, 05:18:56 am
It seems like I can modify profile data through the edit url too!

e.g. http://joomla_url/index.php?option=com_civicrm&task=civicrm/profile/edit&reset=1&id=6&gid=1
« Last Edit: June 21, 2009, 05:31:49 am by sykong »

Dave Greenberg

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 5760
  • Karma: 226
    • My CiviCRM Blog
Re: Security bug in search results?
June 22, 2009, 02:34:17 pm
Thanks for the report on this. We're investigating:

http://issues.civicrm.org/jira/browse/CRM-4668
Protect your investment in CiviCRM by  becoming a Member!
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM (Moderator: Dave Greenberg) »
  • Security bug in search results?

This forum was archived on 2017-11-26.