Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-5654

Personal Fund-raising Pages can be edited by anonymous users

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Critical
          • Resolution: Fixed/Completed
          • Affects Version/s: 3.0.4
          • Fix Version/s: 3.0.4
          • Component/s: CiviContribute
          • Labels:
            None

            Description

            Any personal fundraising page can by edited by anyone on the internet by adding "&action=update" to the URL. This is a serious vulnerability to spammers and other attackers.

            For example :
            http://sandbox.civicrm.org/civicrm/contribute/pcp/info?reset=1&id=1

            Can be edited by anyone by using the URL :

            http://sandbox.civicrm.org/civicrm/contribute/pcp/info?reset=1&id=1&action=update

            Implementation
            ============
            Permission to access the above URL is granted if:

            • user has 'administer CiviCRM' permission

            OR

            • user is authenticated AND the user's contact ID = civicrm_pcp.contact_id (i.e. this is THEIR PCP)

              Attachments

                Activity

                  People

                  • Assignee:
                    sunil Sunil Pawar
                    Reporter:
                    jrlogan J.R. Logan
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: