There is a bug in the address_book_process.php file. It is simillar to the one I created a few minutes ago (OSC-423), but this is a bit more crictical!

If the user wants to update one of his address book entries he can manipulate his address book with a little hack..

If the user copies the form content from osCommerce and changes some data and submits it again to osCommerce, than address_book_process, doesn't validate the recived data before the db update..

The user just has to change the edit id in the action attribute of the form tag to a not known other id and to change it also in the hidden field like this:
e.g. :
<form name="addressbook" action="http://localhost/_osCommerce/address_book_process.php?edit=11&osCsid=2c0a7f02262a145707b0575aa58f06a3" method="post">

e.g. :
<input type="hidden" name="edit" value="11">

In addition he has to set the checkbox (set as primary..) to true.

Now when he submits the form it's going to set the modified edit id as default id which is related to another person..

For example in the checkout process he can use now an existing foreign address as billing address and so on..