Bug 106140 - Registration website allows users to change arbitrary details of the training course they are attending by modifying URL
Registration website allows users to change arbitrary details of the training...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Web Site
Classification: Red Hat
Component: Other (Show other bugs)
current
All Linux
medium Severity medium
: ---
: ---
Assigned To: Web Development
Web Development
http://info.redhat.com/a/tA-eyxnAJPSN...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-03 00:47 EDT by Mike MacCana
Modified: 2007-04-18 12:58 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-06 10:00:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike MacCana 2003-10-03 00:47:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030702

Description of problem:
As mentioned at
http://www.redhat.com/archives/redhat-list/2003-October/msg00110.html.

As I'm sure you're aware, asking people not to exploit this isn't really a fix.
As its possible someone could defraud Red Hat with this, and its rather
embarrasing for those of us who conduct training, I've marked this as critical.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Book a course
2.Modify a parameter in the URL
    

Actual Results:  The course details were changed to match the value entered.

Additional info:
Comment 1 Mark J. Cox (Product Security) 2003-10-06 08:01:32 EDT
The process used to actually book someone onto a course after this form is
submitted does actually catch any attempts to modify the data or pricing, (there
is no automatic debiting etc), so no real harm can be done.  It does however
look unprofessional.
Comment 2 Luke Meyer 2003-10-06 10:00:26 EDT
As was noted, it does look unprofessional, but no direct harm can be done.

However, with a little afternoon hacking on Thursday the 2nd, the main problem
was resolved: if someone changes the price or course name in the URL, the
changes are replaced with the proper values.  This is only true for real
courses, and we can't as yet keep them from selecting bogus cities or dates, or
making up bogus courses.  But the main issue goes away.

Note You need to log in before you can comment on or make changes to this bug.