Closed richardpringle closed 8 years ago
bajtos
commented
8 years ago Cross posting @michaelfreund's https://github.com/strongloop/loopback/issues/2398#issuecomment-224303992
it is an information leak, where model ids can be iterated to check for model existence. this might be necessary information for further attack.
bajtos
commented
8 years ago @michaelfreund @zkuang @richardpringle I have submitted to alternative pull requests to fix this issue, see #315 and #316. We are discussing with @ritch what would be the best fix, our concern is backwards compatibility. Feel free to try those patches out in your app and/or leave a comment telling us your thoughts.
bajtos
commented
8 years ago The fix is available in strong-remoting@2.28.1.
michaelfreund
commented
8 years ago @bajtos we can confirm this fixes strongloop/loopback#2220 for us.
zkuang
commented
8 years ago @bajtos sorry for the late reply. I'll check them out. Thanks very much.
When making a call to
VERB api/ExampleModel/:id/operationthe ACL is only checked upon model instance discovery, otherwise you get a 404 response instead of a 401. This indicates that a record with that particulariddoes not exist even if the user does not have permission to check whether particular models exists or not.