photo

Cyberman

shared this problem
3 years ago

Employees Involved

photo

PIV Support

Admin

Statistics

3
Comments
490
Views

Share

1
votes

email security

I am using free version 3.2.9 and when I change the user/agent # on browser (index.php?action=contact_agent&agent_id=) to any number I replace it with, I can see other members info. and send any email I want to other members. I can go in and direct email to other members. I think this is a huge security issue and need to be looked at ASAP. Is there any addon to prevent this.

I see permission denied msg. when I'm trying changing other member profiles, which is great (index.php?action=edit_profile&user_id=) but this is not working on contact page.

I saw similar post on few years back, would this addon work, thanks.

http://eduardomarques.com/downloads/a...

Eduardo

Not a Problem
+1 The same problem
Add Comment

Comments (3)

photo Employee
1

I don't see how this is a security problem. You cannot view any restricted information at all via action=contact_agent (unless you somehow consider the contact form itself to be restricted content) and you cannot see or use the contact form unless you have at least a Member account and are logged-in to it.

If you truly believe you have found some kind of a security issue that exposes restricted info you should contact Transparent Tech's sales dept and provide them with specific examples of what you believe you have discovered, most importantly how to re-create it via your site.

I cannot comment on the post you read or the add-on you linked above as I have no idea what you read from a few years back or what that add-on you linked does as you did not provide that information.

photo
1

I'm sorry I should of mentioned that I was logged in first as a user / member, and I created a direct link on browser:

www. mydomain.com/or/index.php?action=contact_agent&agent_id#) once I change the users ID# to 1,2,3,4 etc. on browser then I was able to see the users name and send them an email. I was creating a direct link to use it on my contact page. I'm assuming creating a direct link, it's like going through your webpages 1, 2, 3, etc. I'm not a programmer jus know little bet of html to create my own websites. I would like to know your results on this, greatly appreciated.

photo Employee
1

Yes, that is exactly how it is supposed to work, you have to pass the Agent ID# $_GET variable for the form to operate and send the contact to the correct Agent.

Leave Comment

photo

Attach files...

The file must be a jpg, gif, png, bmp, ico, pdf, doc, rtf, txt, zip or rar no more than 20M