[bugs.kde.org] [Bug 488911] New: unauthenticated users can view attachments of bugs reports

Sheikh Ali Akbar Fri, 21 Jun 2024 10:41:25 -0700

https://bugs.kde.org/show_bug.cgi?id=488911


            Bug ID: 488911
           Summary: unauthenticated users can view attachments of bugs
                    reports
    Classification: Websites
           Product: bugs.kde.org
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: critical
          Priority: NOR
         Component: general
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]
  Target Milestone: ---

***
If you're not sure this is actually a bug, instead post about it at
https://discuss.kde.org

If you're reporting a crash, attach a backtrace with debug symbols; see
https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

SUMMARY
View attachment files endpoint doesn't required authentication. which leads to
inforamtion disclosure about bug reports

STEPS TO REPRODUCE
1. go to this link without login:
https://bugsfiles.kde.org/attachment.cgi?id=170764
2. now you can change the id parameter and notice that you are able to
view/download all the attachments of other users without even login.

OBSERVED RESULT
doesn't check if user authenticated 

EXPECTED RESULT
check the user if authorized to view attachment



ADDITIONAL INFORMATION

-- 
You are receiving this mail because:
You are watching all bug changes.

[bugs.kde.org] [Bug 488911] New: unauthenticated users can view attachments of bugs reports

Reply via email to