1.) Most error handling doesn't show custom error pages, instead it shows a part of code as well as what framework/library it uses trough source code. Ex. (when logged in access this) https://cerebratepp.melicertes.eu/users/login?redirect=abc
This might be resolved by turning debug mode to Off, but it looks like issue is a little bit larger - a lot of errors appear on places they shouldnt (from permissions to general usage of the platform, some are listed here, some previously submitted)
2.) A lot of operations that should work for my user give errors. ex. when pressing "Audit changes" on my user id get "Error while loading the modal Network response was not ok. Method Not Allowed", or editing some things about my own user or even organization and I'm the only member
3.) The download button on the organization search seems to download everything regardless of the search query? I've ran an empty query and it downloaded a json file with a lot of results.
4.) When searching, the popdown is huge, so are the search results - PGP keys widen the whole website, id recomment just displaying first ex. 50 characters maybe, yet searching everything
5.) I've added two mailing lists, both are throwaway entries, none of them are visible. Bug: Mailing lists arent visible.
6.) https://cerebratepp.melicertes.eu/user-settings/index?Users.id=87# As reported previously the user ID for the request is 0 which is incorrect, it should be user's ID, that might be why it doesn't allow for some changes. This could already be fixed tho, please check all edits (especially the one for the Table - JSON formatted one)
7.) Tagging organizations - if there is a single qoute in a tag for organization the tag cannot be deleted : https://cerebratepp.melicertes.eu/organisations/view/702 ; I didn't want to poke around more with this so I just submitted this as a bug. I assume there might be an ability to either affect the code (cause errors, inject code maybe) or the database. Please check and fix
8.) You can input anything into the UUID field ; it has a string limit ; but it allows any strings . Since it goes into the database and also gets reflected back this Could allow for SQLi or even XSS with enough efforts (output sanitization seems well done so far, but you never know - i didnt try testing the platform with tools like XSSer ; i havent tried specific WAF-evasive payloads either).
9.) It looks like if I create another user and give it all possible Meta fields meaning that user will get all the permissions ? It seems odd since i cant modify permissions for myself but I can for that other user. Also this could (if its giving permissions) give the user too much permissions. Im not sure tho, please investigate (and also should I be able to edit perms for myself?)
10.) There is no Clear filters button, every time I put some filters on i have to manually turn them off
11.) keycloak doesnt check if entry is an email when you click "Forgot password". It accepts basically any input - this is easily fixable yet could cause problems if it doesnt get fixed.
That would be all, thank you for reading :) I hope i helped
Upon testing i've noticed a few more things.
1.) Most error handling doesn't show custom error pages, instead it shows a part of code as well as what framework/library it uses trough source code. Ex. (when logged in access this) https://cerebratepp.melicertes.eu/users/login?redirect=abc This might be resolved by turning debug mode to Off, but it looks like issue is a little bit larger - a lot of errors appear on places they shouldnt (from permissions to general usage of the platform, some are listed here, some previously submitted)
2.) A lot of operations that should work for my user give errors. ex. when pressing "Audit changes" on my user id get "Error while loading the modal Network response was not ok.
Method Not Allowed", or editing some things about my own user or even organization and I'm the only member3.) The download button on the organization search seems to download everything regardless of the search query? I've ran an empty query and it downloaded a json file with a lot of results.
4.) When searching, the popdown is huge, so are the search results - PGP keys widen the whole website, id recomment just displaying first ex. 50 characters maybe, yet searching everything
5.) I've added two mailing lists, both are throwaway entries, none of them are visible. Bug: Mailing lists arent visible.
6.) https://cerebratepp.melicertes.eu/user-settings/index?Users.id=87# As reported previously the user ID for the request is 0 which is incorrect, it should be user's ID, that might be why it doesn't allow for some changes. This could already be fixed tho, please check all edits (especially the one for the Table - JSON formatted one)
7.) Tagging organizations - if there is a single qoute in a tag for organization the tag cannot be deleted : https://cerebratepp.melicertes.eu/organisations/view/702 ; I didn't want to poke around more with this so I just submitted this as a bug. I assume there might be an ability to either affect the code (cause errors, inject code maybe) or the database. Please check and fix
8.) You can input anything into the UUID field ; it has a string limit ; but it allows any strings . Since it goes into the database and also gets reflected back this Could allow for SQLi or even XSS with enough efforts (output sanitization seems well done so far, but you never know - i didnt try testing the platform with tools like XSSer ; i havent tried specific WAF-evasive payloads either).
9.) It looks like if I create another user and give it all possible Meta fields meaning that user will get all the permissions ? It seems odd since i cant modify permissions for myself but I can for that other user. Also this could (if its giving permissions) give the user too much permissions. Im not sure tho, please investigate (and also should I be able to edit perms for myself?)
10.) There is no Clear filters button, every time I put some filters on i have to manually turn them off
11.) keycloak doesnt check if entry is an email when you click "Forgot password". It accepts basically any input - this is easily fixable yet could cause problems if it doesnt get fixed.
That would be all, thank you for reading :) I hope i helped
Kind regards,
F.O.