Project

General

Profile

Actions

Defect #8166

closed

Firebug can enable a disabled field and thus allow a change

Added by Charles Monteiro over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2011-04-15
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

A developer of ours proved that he could use Firebug to enable a field that the system had disabled. In this case, the estimated time field and enter a new value. Thus bypassing the system's constraints.

I don't understand what is fully exposed to a tool like Firebug. It seems to me that the individual would have to be logged in to the system and even though he would be able to enable the field and submit the update that at the very least that update would be tracked as part of the issue's history.

Anyhow, of course, we would prefer that the capability was not there but this might just part of the nature of the beast i.e. a JS driven app.

Are there any other security risks that a tool like Firebug opens up ?

thanks in advance,

-Charles

Actions

Also available in: Atom PDF