Bugs Realm

Bugs

0 Characters

[Security] Reading staff conversation as non admin.

Submitted 4 years, 11 months ago by

Hi!

It looks like you have an issue with authorization using "comments/quote" rest method.

As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.

For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."

Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.

  • zmacr's Avatar
    40 3 Posts Joined 03/28/2019
    Posted 4 years, 11 months ago

    Hi!

    It looks like you have an issue with authorization using "comments/quote" rest method.

    As for now it allows non-admin users to get any comment message content (even from non-public staff/mod-talk/ sub-forum) by id.

    For example message with id 46 clearly contains some sensitive admin data about ".. a playful, slightly Hearthstoney font."

    Also members page for admin user (like /members/fluxflashor) allows to see the names of threads from staff/ sub-forum, that can also potentially leaks some sensitive information.

    1
  • Fluxflashor's Avatar
    CEO 2005 3060 Posts Joined 10/19/2018
    Posted 4 years, 11 months ago

    Thanks for the report, zmacr.

    Both issues have been fixed.

    Founder, Out of Games

    Follow me on Twitch and Twitter.
    If you are planning on playing WoW on US realms, consider using my recruit link =)

    1
  • zmacr's Avatar
    40 3 Posts Joined 03/28/2019
    Posted 4 years, 11 months ago

    ... looks like now I can only "Quote" my own messages, and not the messages of other users (forum Quote button is useless for now).

    Instead I think user should be able to Quote any message (written by any user) which belongs to threads he authorized to view.

    Second issue looks fixed with no further problems.

    0
  • Leave a Comment

    You must be signed in to leave a comment. Sign in here.

    ODYN
    0 Users Here