Project

General

Profile

Can Firebug be used to break Redmine security

Added by Charles Monteiro over 13 years ago

hi, today one of our developers pointed out that he could enable a field that the system had disabled and enter a new value.

Of course, the individual would have to be logged into the system but I would like to understand better the implications of having a tool like Firebug widely available. For practical purposes we don't strictly run our Redmine installation on an intranet so perhaps this might be a concern.

thanks


Replies (2)

RE: Can Firebug be used to break Redmine security - Added by Etienne Massip over 13 years ago

Could you fill in a defect for this precise security glitch, please ?

RE: Can Firebug be used to break Redmine security - Added by Charles Monteiro over 13 years ago

sure, but apparently using Firebug to enable / disable fields is a very normal and typically used feature developers use when debugging their web apps so I would have thought that this is just part of the nature of these JS driven apps. I'll go ahead and enter a ticket.

    (1-2/2)