Defect #8166
closed
Firebug can enable a disabled field and thus allow a change
Added by Charles Monteiro over 13 years ago.
Updated over 13 years ago.
Description
A developer of ours proved that he could use Firebug to enable a field that the system had disabled. In this case, the estimated time field and enter a new value. Thus bypassing the system's constraints.
I don't understand what is fully exposed to a tool like Firebug. It seems to me that the individual would have to be logged in to the system and even though he would be able to enable the field and submit the update that at the very least that update would be tracked as part of the issue's history.
Anyhow, of course, we would prefer that the capability was not there but this might just part of the nature of the beast i.e. a JS driven app.
Are there any other security risks that a tool like Firebug opens up ?
thanks in advance,
-Charles
Where was this disabled 'estimated time' field? On a parent issue?
And please give your Redmine version.
current version: Redmine 1.0.4.stable (MySQL)
I've just had a look at the 1.0.4 code and it should not allow the change. I'll see if it can reproduce.
Do you have any plugins installed?
I can not reproduce with current trunk. The value submitted after enabling the field is ignored.
thank you and sorry for the waste of time, the developer did not include that last piece of info.
Charles Monteiro wrote:
thank you and sorry for the waste of time, the developer did not include that last piece of info.
What is "that last piece of info"?
That the "value submitted after enabling the field is ignored". In other words he stopped short and just reported that the firebug was able to enable a disabled field and that subsequently the value of the field could be changed. I have not tested the impact of this in different scenarios but in this case there is no real impact as you have pointed out.
To be complete I also should answer your question, no I don't have any plugins installed although that is also irrelevant at this point.
thank you for your attention to this.
Could you ask him for more details ?
I'm not sure what further detail you want. He simply used firebug to enable a disabled field, he then changed the value but never submitted the form. Had he done so he would have realized that his change would not be submitted.
- Status changed from New to Closed
- Resolution set to Invalid
Ok, sorry, I misunderstood, thought he eventually submitted the value.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by