Project

General

Profile

Bug #2776

SECURITY ISSUE:You are able to add pages to other groups you have no access to

Added by shokora over 6 years ago. Updated about 3 years ago.

Status:
Fix committed
Priority:
Urgent
Assignee:
Category:
Permissions
Target version:
-
Start date:
02/28/2011
Due date:
% Done:

0%

QA Check:
Feature Branch:

Description

In this exploit you can create pages like discussions/wikipages/images in groups that you have no access to (are not a member of). I did the following to achieve this:

1. Create an account and a group
2. Go to a page where you can add something, for instance the wiki page: https://we.riseup.net/wiki_page/create/wiki?group=yourgroup
3. Change the 'yourgroup' part in the URL to the name of the group you want to add content to, for instance https://we.riseup.net/wiki_page/create/wiki?group=othergroup and load that page.
4. You can now fill in whatever you want and upload it, it will be saved to the group of your choice and you will have further access to it.

It's not directly possible to compromise the server or accounts with this, but it can lead to information leakage. For instance, if I wanted to know who were in a certain group I could add a wiki-page (or a discussion whatever) with an embedded image. Whoever loads this page will automaticly load that image and I can tell from the logs of my webserver who where in the group because noone outside the group knew the url and thus couldn't have requested it from the server.

Probably easily fixed but potentially dangerous :P

History

#1 Updated by shokora over 6 years ago

This also works when the other group has unchecked 'Make Group Publicly Visible'.

#2 Updated by mcnair over 6 years ago

  • Assignee set to azul

#3 Updated by el_topo almost 6 years ago

I think we have the same problem here between this two group, especially the "how to start" page
https://we.riseup.net/anarchisme_2012_st-imier/how-to-start+101146
https://we.riseup.net/istanbul2013/how-to-start+101146

when you writte on one page it, also writte on the other. Can someone confirme this is the same bug? if not I'll report it as a new bug.

thanks
in solidarity
el topo

#4 Updated by cb almost 4 years ago

  • Category set to Permissions

This one is quite old, need to be fixed :)

#5 Updated by azul about 3 years ago

  • Status changed from New to Fix committed

I confirmed this is fixed in the core rework and added a test for it.

Also available in: Atom PDF