Uh oh... ANYBODY can edit and confirm!!!

greenspun.com : LUSENET : MARP Editors : One Thread

I entered my initials and password in some URL, but mistyped my password and had already hit return when I noticed it. It still gave me the "edit" and "confirm" links?!?!?!?!

So then I tried again, using BBH's initials and a bogus password (at least I think so :-)) this time: http://marp.retrogames.com/index.cgi?mode=search&short=^lwings2$&table=y&per_game=1000&prefix=bbh&passwd=abcdefg&tourn=0

Lo and behold, I got "edit" and "confirm" links. That means that anybody can use the initials of one of the Editors, some bogus password, and can then edit and confirm...

Cheers, Ben Jos.

-- Anonymous, May 07, 2001

Answers

aint security grand! that's pretty cool. Shoudln't be too bad to fix, just have some extra python checks if the person accesing the page is logged in and if not redirect them to the homepage...

-- Anonymous, May 07, 2001

hehehehe - this is going to be fun...

You're only half right. You can't actually confirm/edit unless you have the absolute correct password. You WILL be forced to login with the correct password before you get the chance to edit/confirm a score. GB9

-- Anonymous, May 07, 2001


Moderation questions? read the FAQ