Closed Bug 1463949 Opened 8 years ago Closed 8 years ago

Information disclosure on discourse.mozilla.org

Categories

(Websites :: Other, enhancement)

Product:
Websites
Component:
Other
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: johndoe1492, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

mozillians.html
213.73 KB, text/html
Details
Found this site and since it uses https://auth.mozilla.auth0.com considered that it is not a community site, and it belongs to mozilla. If we open this page, we will see just topic on forum: https://discourse.mozilla.org/t/about-the-sumo-category/7396 But if we use view-source: view-source:https://discourse.mozilla.org/t/about-the-sumo-category/7396 we will see a huge load of information. To be honest, I have absolutely no idea what it is and even if it is sensitive information. But some information(examples below) I think may be sensitive: "groups":[{"id":1,"name":"admins"},{"id":64,"name":"campus_clubs"},{"id":44,"name":"commsquared"},{"id":52,"name":"community_feedback"},{"id":41,"name":"CommunityIT"},{"id":0,"name":"everyone"},{"id":51,"name":"FoxYeah"},{"id":68,"name":"iam-project"},{"id":61,"name":"moco"},{"id":2,"name":"moderators"},{"id":62,"name":"mofo"},{"id":74,"name":"mozilla-kerala-internal-access"},{"id":56,"name":"MozillaWiki_team"},{"id":69,"name":"nda"},{"id":58,"name":"OpenInnovPrize"},{"id":55,"name":"OpenInnovToolkit"} (nda and internal access sound interesting) ,"min_admin_password_length":15 (really don't think that any site user must know length of admin password) womoz@mozilla-community.org","email_in_allow_strangers", (I suggest that it is setting which disallows anonymous user to see email, but still I can see it :) We can see user ID's, privileges and so on. Well, maybe I am mistaken and this is just some test database, but I doubt it, and considered it worth reporting.
Flags: sec-bounty?
Attached file mozillians.html
Full information is in the attachment, or you can just visit provided URL.
John: thanks for your report, based on what I'm seeing here, this is all public information. The length thing is a minimum, not a measure of an existing admin password. We're not concerned with email address leakage for that particular user, it's considered public. In short, I don't believe any of this is sensitive, so I'm closing this bug as invalid. Thanks for your report!
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Group: websites-security
Flags: sec-bounty?
Flags: sec-bounty-hof-
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: