[Information Disclosure] on /registerTeam /joinTeam /leaveTeam - Githubissues

CTF-Cafe / CTF_Cafe_platform

A full CTF Website Server & Frontend | Extremely customizable

Other

55 stars 9 forks source link

[Information Disclosure] on /registerTeam /joinTeam /leaveTeam #102

Closed RaxoCoding closed 1 year ago

RaxoCoding commented 1 year ago

Whenever these endpoints are called, at the end the user object from MongoDB is sent back, without any filtering, so the whole user object is sent back to the user.

FIX : Do not handle sending user or team object back to the frontEnd.

Ref 1 : https://github.com/CTF-Cafe/CTF_Cafe_platform/blob/a1906941c3b9086bd213399812b19c89ab9cf0ab/backEnd/controllers/teamController.js#L9

Ref 2 : https://github.com/CTF-Cafe/CTF_Cafe_platform/blob/a1906941c3b9086bd213399812b19c89ab9cf0ab/backEnd/controllers/teamController.js#L121

Ref 3 : https://github.com/CTF-Cafe/CTF_Cafe_platform/blob/a1906941c3b9086bd213399812b19c89ab9cf0ab/backEnd/controllers/teamController.js#L321

RaxoCoding commented 1 year ago

Fixed : b29992b04b6911c1cd10f53a81c7ac0a3e5bf841