From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030702 Description of problem: As mentioned at http://www.redhat.com/archives/redhat-list/2003-October/msg00110.html. As I'm sure you're aware, asking people not to exploit this isn't really a fix. As its possible someone could defraud Red Hat with this, and its rather embarrasing for those of us who conduct training, I've marked this as critical. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Book a course 2.Modify a parameter in the URL Actual Results: The course details were changed to match the value entered. Additional info:
The process used to actually book someone onto a course after this form is submitted does actually catch any attempts to modify the data or pricing, (there is no automatic debiting etc), so no real harm can be done. It does however look unprofessional.
As was noted, it does look unprofessional, but no direct harm can be done. However, with a little afternoon hacking on Thursday the 2nd, the main problem was resolved: if someone changes the price or course name in the URL, the changes are replaced with the proper values. This is only true for real courses, and we can't as yet keep them from selecting bogus cities or dates, or making up bogus courses. But the main issue goes away.