View Issue Details

IDProjectCategoryView StatusLast Update
0015372phplist applicationAuthentication Systempublic19-04-10 18:53
Reporteradrian15 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product VersionFutureDevelopments 
Target VersionFixed in Version2.10.12 
Summary0015372: An admin can delete other admins lists without being the owner
DescriptionIf one admin have access to list page he can write an url like this:
http://domain.com/lists/admin/?page=list&delete=4

Even if list with id=4 is not a property of the admin it gets deleted!
Additional InformationI think this bug should be checked in 2.10.10 and solved also there because it is a very important bug in my opinnion.
TagsNo tags attached.

Relationships

related to 0015377 resolvedmichiel Editlist: Admin can edit other admins' lists and stole them 

Activities

30-11-09 20:45

 

svn_r1703_post_initial_04_patch_list_admin_can_delete_other_admins_lists.patch (1,421 bytes)
diff -urN svn_r1703_sin_punto_svn_improved_01_editlist_acceslist/phplist/public_html/lists/admin/list.php svn_r1703_sin_punto_svn_improved_02_list_delete_any_list/phplist/public_html/lists/admin/list.php
--- svn_r1703_sin_punto_svn_improved_01_editlist_acceslist/phplist/public_html/lists/admin/list.php	2009-11-29 11:27:41.000000000 +0100
+++ svn_r1703_sin_punto_svn_improved_02_list_delete_any_list/phplist/public_html/lists/admin/list.php	2009-11-29 13:01:51.000000000 +0100
@@ -11,12 +11,18 @@
 
 if (isset($_GET['delete'])) {
   $delete = sprintf('%d',$_GET['delete']);
+  print $GLOBALS['I18N']->get('Checking')." $delete ...\n";
+  $req = Sql_Query(sprintf("select * from %s where ((owner = %d) and (id = %d))",$tables["list"],$_SESSION["logindetails"]["id"],$delete));  
+  if (!Sql_Affected_Rows()) {
+    print '<p class="error">'.$GLOBALS['I18N']->get("You do not have enough permissions to delete this list.").'</p>';
+  } else {
   # delete the index in delete
   print $GLOBALS['I18N']->get('Deleting') . " $delete ..\n";
   $result = Sql_Query_Params("delete from $tables[list] where id = ?", array($delete));
   $result = Sql_Query_Params("delete from $tables[listuser] where listid = ?", array($delete));
   $result = Sql_Query_Params("delete from $tables[listmessage] where listid = ?", array($delete));
   print '..' . $GLOBALS['I18N']->get('Done') . "<br /><hr /><br />\n";
+  }
 }
 
 ## quick DB fix

michiel

19-04-10 18:53

manager   ~0050931

revision 1871