endpoint sends a key with Access Denied

autonity / docs.autonity.org

Documentation for the Autonity Go Client (AGC)

https://docs.autonity.org

2 stars 6 forks source link

endpoint sends a key with Access Denied #130

Closed inspector44 closed 10 months ago

inspector44 commented 11 months ago

Describe the bug

https://game.autonity.org/account-holders/ endpoint is returning a key with Access Denied. I guessed that this might not be a desired behavior. I suspected a security vulnerability

To Reproduce

Steps to reproduce the behaviour:

Go to 'https://docs.autonity.org/delegators/bond-stakee/'
See a key with "Access Denied" test

Device information (please complete the following information):

Device: [e.g. Desktop, Smartphone, Tablet]
OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Browser Version [e.g. 22]

inspector44 commented 11 months ago

I've seen this happen for every url that doesn't exist. If it's considered a vulnerability, I can close this issue and follow the vulnerability reporting process. Please let me know if there is anything you expect from me.

cmjc commented 11 months ago

Hi @inspector44 thanks for reporting this.

The page game.autonity.org/account-holders doesn't exist, so to get an access denied trying to resolve a URI that doesn't exist is not a CV.

cmjc commented 11 months ago

The issue here I think is one of returning a 403 Forbidden access denied rather than a 404 Not Found .

cmjc commented 10 months ago

Thank you for reporting this @inspector44 and it is being looked at. This isn't an issue for the docs.autonity.org repo so this issue will be closed here and doesn't count towards the PCGC Bug Bounty.