Closed hauntedrows closed 3 months ago
It appears that the shoutbox.php URI is not secured by a check to ensure that the user is logged in.
By editing the URL, any user can bring up the current contents of the tracker's shoutbox in a browser window.
This would appear to be a serious security hole.
Fixed, see here
xiaomlove
commented
4 months ago
It appears that the shoutbox.php URI is not secured by a check to ensure that the user is logged in.
By editing the URL, any user can bring up the current contents of the tracker's shoutbox in a browser window.
This would appear to be a serious security hole.