Some info about users and their privileges are visible

RESOLVED DUPLICATE of bug 455119

Status

developer.mozilla.org
General
RESOLVED DUPLICATE of bug 455119
7 years ago
2 years ago

People

(Reporter: gubretnuh, Unassigned)

Tracking

Details

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17
Build Identifier: Information disclosure in developer.mozilla.org

Hello Mozilla,

I have discovered some URLs that might allow attackers to gather information about users and their privileges in the context of the deki software.

https://developer.mozilla.org/@api/deki/users/1
https://developer.mozilla.org/@api/deki/users/2
https://developer.mozilla.org/@api/deki/users/3
etc...

It's also possible to recover information about your deki license:

https://developer.mozilla.org/@api/deki/license

Even some info about enabled or disable deki component are visible from these URLs

https://developer.mozilla.org/@api/deki/site/services/4
etc..


Reproducible: Always


Actual Results:  
I can see info about deki users, licence and service configuration.

Expected Results:  
No kind of info disclosure is possible
This is a duplicate of an existing bug. You've been copied into the original bug.  This will be addressed with a pending software upgrade.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 455119
(Reporter)

Comment 2

7 years ago
Ok perfect. Ensure that even licence and services info are pathed with the new relase!
(Assignee)

Updated

6 years ago
Component: Deki Infrastructure → Other
Product: Mozilla Developer Network → Mozilla Developer Network
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.