index.php for Zorum 3.5 allows remote attackers to perform certain actions as other users by modifying the id parameter.