Forum management
- Threads started by me
- Threads I participate in

Developer forum

Possible to extract Angel information in URL request

Posted on 30/11/2010 12:13:39

Here is an example of this bug.

Normal user information:
http://ft.fo/Default.aspx?ID=317&Presentation=Normal&Type=AccessUser&EmpID=341

Angel information:
http://ft.fo/Default.aspx?ID=317&Presentation=Normal&Type=AccessUser&EmpID=1

This should not be possible to request this user name info.

Replies

Posted on 30/11/2010 12:35:00

You are right about that.

Quick fix: Use an XSLT template and test the EmpID value.

I highly recommend that you use the new User Management module. It has the same features as HR, except these "unwanted features".

/Morten

Nicolai Høeg Pedersen

Posted on 30/11/2010 12:40:34

Will handle this as a bug...

That said - angel is a virtual user and information is not used for anything or cannot be misued.

BR N.

Posted on 30/11/2010 13:15:35

Let me put it this way.

I would not do this in production, but if i requested ID=2 (Administrator) and set DwTemplateTags in my template i would get administrator password visible in frontend.

This is a problem. I know it can be fixed by using xslt, but still it should not be possible to request this info in frontend.

Posted on 30/11/2010 13:19:44

Customer is using 19.0.3.1

Nicolai Høeg Pedersen

Posted on 03/12/2010 08:48:57

This has been filed as bug TFS5781