MantisBT - v3.4 Release (Current)
View Issue Details
0001695v3.4 Release (Current)Smartsearchpublic2016-06-14 02:452019-01-03 12:53
Assigned Tocaseydk 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0001695: Security Issue in Search
Descriptionin "search", whether "Smart" or not, if you enter a keyword, the user gets a list of all items that contain the keyword, even if he has no right to view them.

Yes, if he clicks on the link, he cannot view the content, but still he can see, for example, the title of the tasks for projects and companies he has no right to know that they existed...

This is also valid for version 3.4 pre.

For my case, this is considered a major security flaw and for the time being I have hidden the "search" textbox completely, till a solution is found.
Steps To ReproduceEnter a keyword in search...
TagsNo tags attached.
Attached Files? smartsearch.class.php (6,677) 1969-12-31 16:00
? checkModuleItem_load.php (1,328) 1969-12-31 16:00

2016-07-17 11:56   
checkModuleItem_load function must be copy-pasted in cleanup_functions.php
2016-12-27 20:16   
Resolved in the v3.4 development branch:
2019-01-03 12:53   
In the 31 Dec 2018 release:

Issue History
2016-06-14 02:45ThemoulosNew Issue
2016-07-17 11:51ThemoulosFile Added: smartsearch.class.php
2016-07-17 11:54ThemoulosFile Added: checkModuleItem_load.php
2016-07-17 11:56ThemoulosNote Added: 0003787
2016-12-26 23:34caseydkProjectv3.3 Release => v3.4 Release (Current)
2016-12-27 20:16caseydkAssigned To => caseydk
2016-12-27 20:16caseydkStatusnew => resolved
2016-12-27 20:16caseydkResolutionopen => fixed
2016-12-27 20:16caseydkNote Added: 0003793
2019-01-03 12:53caseydkNote Added: 0003958
2019-01-03 12:53caseydkStatusresolved => closed