Unauthorized Access to pending Assets through enumeration

godotengine / godot-asset-library

PHP frontend for Godot Engine's asset library

https://godotengine.org/asset-library

MIT License

292 stars 94 forks source link

Unauthorized Access to pending Assets through enumeration #309

Open moritztim opened 10 months ago

moritztim commented 10 months ago

~~https://godotengine.org/asset-library/asset/edit/9752~~ <- this has since been approved You should not be able to see details of a pending asset. Yet you can, ~~by following the link above. I could have found that link~~ through enumeration, since the db uses incrementing numeric ids.

As you can see, I am not logged in, yet able to view this pending asset

moritztim commented 10 months ago

This is a security risk in 2 scenarios:

A malicious asset could be presented as legitimate since it's accessible on the official asset lib. There's nothing on the page to suggest that this is not approved.
(less likely) A malicious actor finds a pending asset with sensitive info accidentally left in there