The profile delete confirmation is using direct link to delete action URL. Changing a resource in web with a GET request is basicly against the HTTP protocol. Noted this while scanning vulnerabilities on site with an administration user. After the scan fckeditor profiles were deleted. There is also a threat of tricking an administrator to this URL from outside the site. Proper Drupal form should be used for any actions.

Comments

Jorrit’s picture

Status: Active » Closed (won't fix)

This has been fixed in the 6.x-2.x branch and it will not be fixed in previous versions.