Red Hat Bugzilla – Bug 106140
Registration website allows users to change arbitrary details of the training course they are attending by modifying URL
Last modified: 2007-04-18 12:58:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030702
Description of problem:
As mentioned at
As I'm sure you're aware, asking people not to exploit this isn't really a fix.
As its possible someone could defraud Red Hat with this, and its rather
embarrasing for those of us who conduct training, I've marked this as critical.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Book a course
2.Modify a parameter in the URL
Actual Results: The course details were changed to match the value entered.
The process used to actually book someone onto a course after this form is
submitted does actually catch any attempts to modify the data or pricing, (there
is no automatic debiting etc), so no real harm can be done. It does however
As was noted, it does look unprofessional, but no direct harm can be done.
However, with a little afternoon hacking on Thursday the 2nd, the main problem
was resolved: if someone changes the price or course name in the URL, the
changes are replaced with the proper values. This is only true for real
courses, and we can't as yet keep them from selecting bogus cities or dates, or
making up bogus courses. But the main issue goes away.