security issue

Archived from the Web Auction Discussion forum.

cybergenesis — Tue Jan 25, 2011 12:42 am

Hello,
I noticed a security problem. If I am logged in and click “Edit My Profile” on the left hand side, the url link is:
index.php?-action=edit&-table=users&username==admin

If I change “admin” to any other username, I can see their information ( first name, last name etc).
Any suggestion on fix for this? I noticed the My Watch List link does not use this type of GET call, my guess is that it is using sessions. Would it be better to use session in this situation?

Thanks in advance.

---

shannah — Tue Jan 25, 2011 12:44 pm

When you are logged in as admin, you have access to everyone’s profile. If you are logged in as a regular user you shouldn’t be able to see others’ profile info.

---

cybergenesis — Sun Jan 30, 2011 11:50 pm

Shannah,
You are correct, I checked the link using a user account and it does not show any other users. Sorry for post and thanks for help.