User can choose non-existent ad category
There is a bug in step 1 of the ad posting process.
A user can modify the POST submission (on the client side) using a tool such as the Firefox "Tamper Data" plugin.
The user can set the value of the "cat" parameter to an integer value that does not correspond to any existing ad category.
For example, suppose I have a site with ad categories with IDs of: "9", "13", "14". In this case, the category selection input (i.e. dropdown menu) on step 1 will have 4 items: the three categories, plus the "Select one" prompt (which has a "cat" value of "-1").
Normal scenario:
Normally, a user selects an option from the menu (e.g. "Cars and Trucks" which we can pretend has a value of "13") and presses the Submit button. When the user clicks the Submit button, the form will be submitted with the "cat" parameter set to "13". The next page will show the category by name: "Cars and Trucks." Everything is normal.
Now for the hacked scenario:
Suppose the user can modifies the POST data (which they can do... I just did using the plugin I mentioned above) and set "cat" equal to "999" (which does not correspond to an existing ad category).
ClassiPress will accept this submission and continue on to the next step of the New Ad process like nothing is wrong.
Here is a graphical representation of the two scenarios:
classipress_category_selection_bug.jpg
I recommend AppThemes implement server-side validation of this form (and all forms), so the theme rejects submissions containing invalid ad category IDs.
Reply With Quote
You must be an AppThemes customer and logged in to view this response.