You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello. I found a security issue today with your phpBB3 Topic Tagging mod. If you tag a topic in a restricted forum (i.e. only visible to registered users), the tag will be seen by anonymous users. Clicking on the tag will reveal the topic which they should never have access to.
Steps to repro:
1: Create a new topic in a forum which is only visible to registered users.
2: Tag the topic with the word "Secret"
3: Log out
4: Notice that "secret" is now seen in the tag cloud, even for anonymous users.
5: As an anonymous user, click the "secret" tag in the tag cloud
Results:
Anonymous user can now see the topic that was tagged. They can see the forum name, the poster, etc.
Expected Results:
Anonymous user should not see tags for topics they cannot access. Anonymous users should not be allowed to bypass security and see topics they don't have access to just by viewing the tag cloud.
The text was updated successfully, but these errors were encountered:
Hello. I found a security issue today with your phpBB3 Topic Tagging mod. If you tag a topic in a restricted forum (i.e. only visible to registered users), the tag will be seen by anonymous users. Clicking on the tag will reveal the topic which they should never have access to.
Steps to repro:
1: Create a new topic in a forum which is only visible to registered users.
2: Tag the topic with the word "Secret"
3: Log out
4: Notice that "secret" is now seen in the tag cloud, even for anonymous users.
5: As an anonymous user, click the "secret" tag in the tag cloud
Results:
Anonymous user can now see the topic that was tagged. They can see the forum name, the poster, etc.
Expected Results:
Anonymous user should not see tags for topics they cannot access. Anonymous users should not be allowed to bypass security and see topics they don't have access to just by viewing the tag cloud.
The text was updated successfully, but these errors were encountered: