MantisBT - v3.4 Release (Current)
View Issue Details
0001695v3.4 Release (Current)Smartsearchpublic2016-06-14 02:452019-01-03 12:53
ReporterThemoulos 
Assigned Tocaseydk 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0001695: Security Issue in Search
Descriptionin "search", whether "Smart" or not, if you enter a keyword, the user gets a list of all items that contain the keyword, even if he has no right to view them.

Yes, if he clicks on the link, he cannot view the content, but still he can see, for example, the title of the tasks for projects and companies he has no right to know that they existed...

This is also valid for version 3.4 pre.

For my case, this is considered a major security flaw and for the time being I have hidden the "search" textbox completely, till a solution is found.
Steps To ReproduceEnter a keyword in search...
TagsNo tags attached.
Attached Files? smartsearch.class.php (6,677) 1969-12-31 16:00
https://bugs.web2project.net/file_download.php?file_id=443&type=bug
? checkModuleItem_load.php (1,328) 1969-12-31 16:00
https://bugs.web2project.net/file_download.php?file_id=444&type=bug

Notes
(0003787)
Themoulos   
2016-07-17 11:56   
checkModuleItem_load function must be copy-pasted in cleanup_functions.php
(0003793)
caseydk   
2016-12-27 20:16   
Resolved in the v3.4 development branch:

https://github.com/web2project/web2project/commit/0b4520acc6110e310db1af7cff05aefc6b7b47fd
(0003958)
caseydk   
2019-01-03 12:53   
In the 31 Dec 2018 release: http://docs.web2project.net/release-notes/3.4.html

Issue History
2016-06-14 02:45ThemoulosNew Issue
2016-07-17 11:51ThemoulosFile Added: smartsearch.class.php
2016-07-17 11:54ThemoulosFile Added: checkModuleItem_load.php
2016-07-17 11:56ThemoulosNote Added: 0003787
2016-12-26 23:34caseydkProjectv3.3 Release => v3.4 Release (Current)
2016-12-27 20:16caseydkAssigned To => caseydk
2016-12-27 20:16caseydkStatusnew => resolved
2016-12-27 20:16caseydkResolutionopen => fixed
2016-12-27 20:16caseydkNote Added: 0003793
2019-01-03 12:53caseydkNote Added: 0003958
2019-01-03 12:53caseydkStatusresolved => closed