This is probably not as obvious to some, but a pre-existing security hole has been exposed by adding the simple search/edit features to "listings_edit.php and "edit_my_listings.php".
Originally Posted by greengiant
No matter what agent I happen to be logged-in as, all I need is the listing's ID# and I can edit ANY listing in the DB.
This is fine for the Admin using listings_edit.php but for someone who is an Agent using "edit_my_listings.php", it gives them more power than was probably intended.
This could be especially troublesome for anyone who is using OR as a portal/pay site..
Anyone that intends to continue to use this search feature, I would suggest that you plan to add some sort of security query to the "search" to make sure that the person "searching" (editing) can only "see" (edit) listings they have permissions for..
In the meantime, you should remove the following from "edit_my_listings.php" at or around line 314.. just to "..keep honest people honest"
Removing this does not solve the security problem, it just makes it less obvious to your users/Agents.
echo "<table align=\"center\"><tr><td align=\"center\">Enter the Site ID Number Of the Listing You Want To Edit<form action=\"$config[baseurl]/admin/edit_my_listings.php?edit=$id\" method=\"get\" name=\"idform\"><input name=\"edit\" type=\"text\" id=\"listingID\" size=\"10\">&nbsp;&nbsp;<input type=\"submit\" value=\"EDIT LISTING\" class=\"button\" /></form></td></tr></table><br>";
Why? because, any Agent (non-admin) can still, just edit the URL, in the browser i.e. "http://www.yourdomain.com/admin/edit_my_listings.php?edit=13437"
and then just change the listing id at the end "13437" to whatever valid listing number they want and bingo, they're editing and possibly deleting listings they don't have privileges for. :shock:
The new search feature did not create the security hole, it just exposed it for me.