https://bugs.kde.org/show_bug.cgi?id=488911
Bug ID: 488911
Summary: unauthenticated users can view attachments of bugs
reports
Classification: Websites
Product: bugs.kde.org
Version: unspecified
Platform: Other
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: general
Assignee: sysad...@kde.org
Reporter: akberbadsh...@gmail.com
CC: she...@kde.org
Target Milestone: ---
***
If you're not sure this is actually a bug, instead post about it at
https://discuss.kde.org
If you're reporting a crash, attach a backtrace with debug symbols; see
https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***
SUMMARY
View attachment files endpoint doesn't required authentication. which leads to
inforamtion disclosure about bug reports
STEPS TO REPRODUCE
1. go to this link without login:
https://bugsfiles.kde.org/attachment.cgi?id=170764
2. now you can change the id parameter and notice that you are able to
view/download all the attachments of other users without even login.
OBSERVED RESULT
doesn't check if user authenticated
EXPECTED RESULT
check the user if authorized to view attachment
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
