Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Security Vuln: Check API access to entity details
Access through the /api/user/<id> and /api/group/<id> routes were not properly being checked. This meant that anyone could easily enumerate users and groups. User information disclosed would include which SRP groups a user is in, whether they are an admin, which permissions a user has been granted, as well as the details for every SRP request that user has submitted, including the character name for the loss. The authentication source (Test Auth, EVE SSO, etc) for the user would also be disclosed through the requests, along with the ID associated with that authentication method. Group information disclosed would include the group name, permissions granted within that group, as well as all members of the group. v0.12.2 is going to be released shortly addressing this vulnerability. A large thank you to the individual who brought this to my attention.
- Loading branch information