HUGE security concern - anybody can promote story instantly

[shane]

I have found a HUGE security problem. ANY user can instantly promote a story to the homepage, regardless of the amount of "pliggs"...just like an admin can, by clicking the "Change the status" link. Here's the concern....ANYBODY can do this, whether they're an admin, or not....as long as they know the link to do it.

For example....

Somebody submits a story....the link to their story is as follows:

http://mypliggsite.com/story/16/

As long as they know the edit link for this (link that follows), they can edit it...even if they're not an admin. This is a huge problem.

http://mypliggsite.com/story/16/modify/main/

Had anyone else noticed this, or know how it can be fixed?

[AshDigg]

Thanks!

I usually check to make sure the user is "god" but in this case I didn't.

I'll get this fixed asap.

Thanks!

[clancey]

If you are impatient, this hack to linkadmin.php fixes the problem in a polite way.

Quote:

<?php
include('config.php');
include(mnminclude.'html1.php');
include(mnminclude.'link.php');

do_header('Link Admin', 'test');

force_authentication();
do_navbar('Link Admin');

if($current_user->user_level == "admin" or $current_user->user_level == "god") {; }
else
{
echo "<br />I am sorry, but you do not have administrative privileges on this site.<br />
If you wish to be promoted, please contact the site administrator.<br />";
return;
}