You found the bug.

Each bug must be replicable in the test installation. You can check the form that doesn't require authentication: https://sivel1.pasosdeJesus.org/consulta_web.php ; as well as other components that shouldn't allow modification of information as user sivel1 with password sivel1: https://sivel1.pasosdeJesus.org/index.php ; or as administrator adminsivel1 --same password. This installation operates on the recommended execution platform (OpenBSD distribution adJ 4.3, web server with SSL in chroot, PostgreSQL and hardened PHP) and uses data from Banco De Datos de Violencia Política, DH y DIH del CINEP.

Your report should explain the methodology that you used to find the bug and propose a solution in the source code of the version 1.0 available at http://sourceforge.net/projects/sivel/files/ (in the directory doc of the sources ther are examples of past auditories).

To report a vulnerability subscribe your email address to the non moderated list sivel-desarrollo and send there your public domain report (by reporting a vulnerability in that list you confirm that your contribution is in the public domain).

Your report will be evaluated and answered in the same list, and if we are able to reproduce it, we will give you the monetary compensation personally, or via PayPal or a bank transfer.

The data about yourself that you don't want to publish in the list (for example your name), can be sent to Vladimir Támara Patiño vtamara@pasosdeJesus.org or by writing to Cr 5 #33A-08, Bogotá, Colombia (if you need to send encrypted information you can use the PGP public key available at http://vtamara.pasosdeJesus.org/vtamara-pgp.txt).