Firebug can enable a disabled field and thus allow a change
A developer of ours proved that he could use Firebug to enable a field that the system had disabled. In this case, the estimated time field and enter a new value. Thus bypassing the system's constraints.
I don't understand what is fully exposed to a tool like Firebug. It seems to me that the individual would have to be logged in to the system and even though he would be able to enable the field and submit the update that at the very least that update would be tracked as part of the issue's history.
Anyhow, of course, we would prefer that the capability was not there but this might just part of the nature of the beast i.e. a JS driven app.
Are there any other security risks that a tool like Firebug opens up ?
thanks in advance,
Updated by Charles Monteiro over 12 years ago
That the "value submitted after enabling the field is ignored". In other words he stopped short and just reported that the firebug was able to enable a disabled field and that subsequently the value of the field could be changed. I have not tested the impact of this in different scenarios but in this case there is no real impact as you have pointed out.
To be complete I also should answer your question, no I don't have any plugins installed although that is also irrelevant at this point.
thank you for your attention to this.