Ok, I've looked into this on my test install.
Quote:
|
1. They have discovered that all they have to do is change the number in the adopt link (from adopt.php?id=xx) as a shortcut to getting any adoptable they want. They can even change this in this link "/doadopt.php?name=&id=28&promocode=&Submit=Adopt+Me " to get the different adoptables.
|
Well, yes if they know the ID of the adoptable they want to adopt they can simply change the number to adopt it. They cannot, however, use this method to adopt adoptables who have conditions attached to them that the user does not meet. For instance, if an adoptable can only be adopted 10 times, and this is already the case, the user cannot use this method to get the adoptable again, instead they get an "Adoption Denied" error message. The same is true for Promo Coded adoptables. This will only work if the user knows the valid promo code.
Unless your install is also ignoring the conditions and allowing users who do not meet the adoption conditions to adopt pets then there is no exploit and the script is working as it should.
Quote:
|
2. Refreshing the adoption page by either pressing the refresh button or ctrl+F5 to mass adopt as many as they want....
|
Well, yes this is true, but it also is the same as the user simply going back, clicking adopt, clicking on the pet, renaming it, etc. If you want to limit this behavior, simply set conditions on the adoptable so that the user can only have so many of that type of adoptable.
If there are conditions on the adoptable, they will be honored and the user will not be able to adopt more of the adoptable.
I hope this clears some things up for people. :)
Brandon