SECURITY ISSUE:You are able to add pages to other groups you have no access to
In this exploit you can create pages like discussions/wikipages/images in groups that you have no access to (are not a member of). I did the following to achieve this:
1. Create an account and a group
2. Go to a page where you can add something, for instance the wiki page: https://we.riseup.net/wiki_page/create/wiki?group=yourgroup
3. Change the 'yourgroup' part in the URL to the name of the group you want to add content to, for instance https://we.riseup.net/wiki_page/create/wiki?group=othergroup and load that page.
4. You can now fill in whatever you want and upload it, it will be saved to the group of your choice and you will have further access to it.
It's not directly possible to compromise the server or accounts with this, but it can lead to information leakage. For instance, if I wanted to know who were in a certain group I could add a wiki-page (or a discussion whatever) with an embedded image. Whoever loads this page will automaticly load that image and I can tell from the logs of my webserver who where in the group because noone outside the group knew the url and thus couldn't have requested it from the server.
Probably easily fixed but potentially dangerous :P
#3 Updated by el_topo over 6 years ago
I think we have the same problem here between this two group, especially the "how to start" page
when you writte on one page it, also writte on the other. Can someone confirme this is the same bug? if not I'll report it as a new bug.