John W. Long wrote: > Can anyone shed light on how the attacker would be able to do this?
Just a guess: Admin::UserController#preferences. > only_allow_access_to :index, :new, :edit, :remove, :when => :admin, "preferences" is not in that list. > @user = User.find(session['user'].id) Unless whiny_nils is enabled (which I strongly recommend), anyone can pretend to be user #4, because nil.id = 4. > if valid_params? Only password changes allowed, that should be OK for a hacker. I didn't try it, so I might have overlooked something, but maybe you should take a look at it. -- Posted via http://www.ruby-forum.com/. _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
