details2.php in OrganicPHP PHP-affiliate 1.0, and possibly later versions, allows remote attackers to modify information of other users by modifying certain hidden form fields.
http://www.securityfocus.com/bid/5482
http://www.iss.net/security_center/static/9858.php
http://archives.neohapsis.com/archives/bugtraq/2002-08/0141.html