User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:220.127.116.11) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17 Build Identifier: Information disclosure in developer.mozilla.org Hello Mozilla, I have discovered some URLs that might allow attackers to gather information about users and their privileges in the context of the deki software. https://developer.mozilla.org/@api/deki/users/1 https://developer.mozilla.org/@api/deki/users/2 https://developer.mozilla.org/@api/deki/users/3 etc... It's also possible to recover information about your deki license: https://developer.mozilla.org/@api/deki/license Even some info about enabled or disable deki component are visible from these URLs https://developer.mozilla.org/@api/deki/site/services/4 etc.. Reproducible: Always Actual Results: I can see info about deki users, licence and service configuration. Expected Results: No kind of info disclosure is possible
This is a duplicate of an existing bug. You've been copied into the original bug. This will be addressed with a pending software upgrade.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 455119
Ok perfect. Ensure that even licence and services info are pathed with the new relase!
Component: Deki Infrastructure → Other
Product: Mozilla Developer Network → Mozilla Developer Network
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
You need to log in before you can comment on or make changes to this bug.