Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Bug Report: Set administrator private album to public via CSRF & Incorrect Permissions #721
Incorrect Permissions in album ID
The public / private tags
- [√] Response with status 200 means that this album is accessible
- [√] Response with status 301 means that you don’t have the privilege to access.
Base on the brute-force result.
Now is time to republic it.
Cross-Site Request Forgery in page permalinks & status, visible, comments in page cat_options.
There is no pwg_token in the request.
Discover By: topsec(Li Zhiqiang)