Closed
Bug 655800
Opened 13 years ago
Closed 13 years ago
Some info about users and their privileges are visible
Categories
(developer.mozilla.org Graveyard :: General, defect)
developer.mozilla.org Graveyard
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 455119
People
(Reporter: gubretnuh, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17 Build Identifier: Information disclosure in developer.mozilla.org Hello Mozilla, I have discovered some URLs that might allow attackers to gather information about users and their privileges in the context of the deki software. https://developer.mozilla.org/@api/deki/users/1 https://developer.mozilla.org/@api/deki/users/2 https://developer.mozilla.org/@api/deki/users/3 etc... It's also possible to recover information about your deki license: https://developer.mozilla.org/@api/deki/license Even some info about enabled or disable deki component are visible from these URLs https://developer.mozilla.org/@api/deki/site/services/4 etc.. Reproducible: Always Actual Results: I can see info about deki users, licence and service configuration. Expected Results: No kind of info disclosure is possible
Comment 1•13 years ago
|
||
This is a duplicate of an existing bug. You've been copied into the original bug. This will be addressed with a pending software upgrade.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Ok perfect. Ensure that even licence and services info are pathed with the new relase!
Assignee | ||
Updated•12 years ago
|
Component: Deki Infrastructure → Other
Comment 3•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•