New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AjaxController #87
Comments
Its return true or false only! |
You can learn a lot by performing simple if (i.e. are John and Tom friends, was John born in 1981, is there any cash in Toms account) |
It is a pretty serious issue I think. For example - attacker can retrieve user passwords using repository method You can also pass arrays to POST, which means that the attacker can use I believe it is also possible to use I found out about this issue because some robot was trying to access this URL on my project without it being used in my code at all. This could mean that someone already wrote a robot to scan Symfony projects and check whether this route is accessible. |
… table by any field - the public route is a security issue, see formapro/JsFormValidatorBundle#87 - the purpose of the route is for ajax validation of an entity uniqueness but the feature is not used in the framework anyway
… table by any field - the public route is a security issue, see formapro/JsFormValidatorBundle#87 - the purpose of the route is for ajax validation of an entity uniqueness but the feature is not used in the framework anyway
… table by any field - the public route is a security issue, see formapro/JsFormValidatorBundle#87 - the purpose of the route is for ajax validation of an entity uniqueness but the feature is not used in the framework anyway
So you're just giving public access for anyone to lookup any table by any field?
why not just pass DQL as parameter?
The text was updated successfully, but these errors were encountered: