Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tags for forums the user doesnt have access to can be seen #6

Closed
veganista opened this issue Mar 24, 2011 · 1 comment
Closed

Tags for forums the user doesnt have access to can be seen #6

veganista opened this issue Mar 24, 2011 · 1 comment
Assignees
@veganista

Comments

@veganista
Copy link
Owner

Hello. I found a security issue today with your phpBB3 Topic Tagging mod. If you tag a topic in a restricted forum (i.e. only visible to registered users), the tag will be seen by anonymous users. Clicking on the tag will reveal the topic which they should never have access to.

Steps to repro:
1: Create a new topic in a forum which is only visible to registered users.
2: Tag the topic with the word "Secret"
3: Log out
4: Notice that "secret" is now seen in the tag cloud, even for anonymous users.
5: As an anonymous user, click the "secret" tag in the tag cloud

Results:
Anonymous user can now see the topic that was tagged. They can see the forum name, the poster, etc.

Expected Results:
Anonymous user should not see tags for topics they cannot access. Anonymous users should not be allowed to bypass security and see topics they don't have access to just by viewing the tag cloud.
@ghost ghost assigned veganista May 5, 2011
@veganista
Copy link
Owner Author

Issue has been fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@veganista veganista

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@veganista