Bugs realm avatar Bugs realm home

Bugs

0 Characters Joined
Create Thread
Bugs | Posted by | 7 years ago
Discussion

[Security] Reading staff conversation as non admin.

Hi!

It looks like you have an issue with authorization using "comments/quote" rest method.

As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.

For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."

Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.

3 Share

// join_the_conversation

Sign in to share your thoughts, vote on comments, and connect with the community.

Sign in Create account

Comments

Sort by:
Oldest Newest Top

  • Hi!

    It looks like you have an issue with authorization using "comments/quote" rest method.

    As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.

    For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."

    Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.

  • Thanks for the report, zmacr.

    Both issues have been fixed.

  • ... looks like now I can only "Quote" my own messages, and not the messages of other users (forum Quote button is useless for now).

    Instead I think user should be able to Quote any message (written by any user) which belongs to threads he authorized to view.

    Second issue looks fixed with no further problems.