![(please configure the [header_logo] section in trac.ini)](http://www1.pconline.com.cn/hr/2009/global/images/logo.gif){kind=logo}
Ticket #163 (closed 用户报障: 已处理)
各网修改帖子漏洞
| Reported by: | chenguohao | Owned by: | dingjianyong |
|---|---|---|---|
| Priority: | 最高级(1) | Milestone: | |
| Component: | 核心模块 | Version: | |
| Keywords: | Cc: | ||
| Due Date: | 19/11/2013 |
Description (last modified by chenguohao) (diff)
据汽车网编辑反馈,非论坛管理员(版主等)用户,可操作修改其他用户的帖;查实后台确有对应的操作记录;
操作的用户ID
http://my.pcauto.com.cn/30185527
Change History
comment:2 Changed 12 years ago by dingjianyong
只拥有“修改自己帖子”权限,而没有“修改帖子”权限的用户也可以修改别人的回帖。
例如普通用户,直接输入链接
http://itbbs.pconline.com.cn/reply.do?action=edit&fid=768176&tid=50850376&pid=498573842
还是可以进入修改页面,并可以提交修改。
已经对此漏洞进行修复
Note: See
TracTickets for help on using
tickets.
