Bug 106140 - Registration website allows users to change arbitrary details of the training course they are attending by modifying URL
Summary: Registration website allows users to change arbitrary details of the training...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Web Site
Classification: Red Hat
Component: Other   
(Show other bugs)
Version: current
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Web Development
QA Contact: Web Development
URL: http://info.redhat.com/a/tA-eyxnAJPSN...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-03 04:47 UTC by Mike MacCana
Modified: 2007-04-18 16:58 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-06 14:00:26 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Mike MacCana 2003-10-03 04:47:01 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030702

Description of problem:
As mentioned at
http://www.redhat.com/archives/redhat-list/2003-October/msg00110.html.

As I'm sure you're aware, asking people not to exploit this isn't really a fix.
As its possible someone could defraud Red Hat with this, and its rather
embarrasing for those of us who conduct training, I've marked this as critical.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Book a course
2.Modify a parameter in the URL
    

Actual Results:  The course details were changed to match the value entered.

Additional info:

Comment 1 Mark J. Cox 2003-10-06 12:01:32 UTC
The process used to actually book someone onto a course after this form is
submitted does actually catch any attempts to modify the data or pricing, (there
is no automatic debiting etc), so no real harm can be done.  It does however
look unprofessional.

Comment 2 Luke Meyer 2003-10-06 14:00:26 UTC
As was noted, it does look unprofessional, but no direct harm can be done.

However, with a little afternoon hacking on Thursday the 2nd, the main problem
was resolved: if someone changes the price or course name in the URL, the
changes are replaced with the proper values.  This is only true for real
courses, and we can't as yet keep them from selecting bogus cities or dates, or
making up bogus courses.  But the main issue goes away.


Note You need to log in before you can comment on or make changes to this bug.