starred/control-pane
1
0
Fork 0
mirror of https://github.com/clonos/control-pane.git synced 2026-04-27 05:35:55 +03:00
Code Issues 24 Projects Releases Packages Wiki Activity

[GH-ISSUE #44] Possible security problem #27

New issue
Open
opened 2026-03-02 03:21:21 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 03:21:21 +03:00
Owner
Copy link

Originally created by @bozhinov on GitHub (Feb 25, 2021).
Original GitHub issue: https://github.com/clonos/control-pane/issues/44

github.com/clonos/control-pane@228e14b062/public/index.php (L73)

<script type="text/javascript"> _first_start=true; err_messages={add:function(arr){for(n in arr){err_messages[n]=arr[n];}}}; user_id='1';user_login='admin'; </script>

I can't find any reference to user_login anywhere else in the code
Question is if user_id is being passed to some other script like public\js\clonos.js
to be used for user deletion or other sensitive stuff ?

I mean I can craft the page to make myself admin. admin is user_id = 1

Originally created by @bozhinov on GitHub (Feb 25, 2021). Original GitHub issue: https://github.com/clonos/control-pane/issues/44 https://github.com/clonos/control-pane/blob/228e14b062c416bfc24dca1feaade6a9c0d397cb/public/index.php#L73 `<script type="text/javascript"> _first_start=true; err_messages={add:function(arr){for(n in arr){err_messages[n]=arr[n];}}}; user_id='1';user_login='admin'; </script> ` I can't find any reference to user_login anywhere else in the code Question is if user_id is being passed to some other script like public\js\clonos.js to be used for user deletion or other sensitive stuff ? I mean I can craft the page to make myself admin. admin is user_id = 1
kerem commented 2026-03-02 03:21:22 +03:00
Author
Owner
Copy link

@olevole commented on GitHub (Feb 25, 2021):

You're right. apparently this is an artifact from the old code. I suppose it can be removed

<!-- gh-comment-id:785835047 --> @olevole commented on GitHub (Feb 25, 2021): You're right. apparently this is an artifact from the old code. I suppose it can be removed
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
bozhinov-Fix
revert-31-master
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/control-pane#27
No description provided.