Closed halfluke closed 2 years ago
snoopysecurity
commented
2 years ago Hey @halfluke , thanks for reporting, indeed this is an issue, i've fixed it with https://github.com/snoopysecurity/dvws-node/commit/fd650a4b42fd26fb527b1f244a4447ca3a33b99a, if you clone the latest version and fix, you should able to read other user's notes
halfluke
commented
2 years ago Thanks!
halfluke
commented
2 years ago Although public notes are still not displayed for all users by default...
snoopysecurity
commented
2 years ago You mean within http://dvws.local/notes.html? Yeah that's intentional. That area only shows you notes related to you. http://dvws.local/search.html will show you other users public notes if you know the name
But i can see why you would want this feature, On the latest version, if you go to the public notes area, this will display all public notest 
halfluke
commented
2 years ago Fantastic, thanks again :)
I am using the Docker version. It looks like different users cannot see other users' notes even when they were created as "public". And more importantly IDOR is not working in a sense that GET /api/v2/notes/[id] always returns an error whether or not a note with that ID exists: HTTP/1.1 200 OK X-Powered-By: Express Vary: Origin Access-Control-Allow-Credentials: true Cache-Control: no-store, no-cache, must-revalidate, private Content-Type: application/json; charset=utf-8 Content-Length: 220 ETag: W/"dc-pxxTOZHl1i2VvdMk6ROXXUByq18" Date: Thu, 23 Jun 2022 23:52:40 GMT Connection: close
{"stringValue":"\"0\"","valueType":"string","kind":"ObjectId","value":"0","path":"_id","reason":{},"name":"CastError","message":"Cast to ObjectId failed for value \"0\" (type string) at path \"_id\" for model \"Notes\""}