Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 11:40 pm EST

Geeklog Forums

Serious bug in usersettings ?


Status: offline

remy

Forum User
Full Member
Registered: 06/09/03
Posts: 162
Location:Rotterdam & Bonn
embarrassed
The constantly vhanging of the field pwrequestid in table['users'] caught my attention.
Than I discovered the code
Text Formatted Code
    $reqid = substr (md5 (uniqid (rand (), 1)), 1, 16);
    DB_change ($_TABLES['users'], 'pwrequestid', "$reqid",
                                  'username', $username);


 
in /usersettings.php within the punction edit_user(). This function displays only the form to change the user settings. The variable $username is not even set. So the DB_change changes the complete table, leaving users alone with an expired request later on.

I think this code is there in error.
Maybe I do oversee something. Can somebody help me out ?
 Quote

Status: offline

remy

Forum User
Full Member
Registered: 06/09/03
Posts: 162
Location:Rotterdam & Bonn
I've corrected the $username into $_USER['username'].
I'm not sure if that's correct. Possibly the code does not belong there. The other programs /users.php and /admin/user.php don't have these lines.
I would expect in any case /admin/user.php to have the lines, if they are correct.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Nice find ...

Your patch makes perfect sense, although I think Geeklog should really be using the uid here instead of the username (I've changed it to using the uid in CVS now).

bye, Dirk
 Quote

All times are EST. The time is now 11:40 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content