| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0001695 | v3.4 Release (Current) | Smartsearch | public | 2016-06-14 02:45 | 2019-01-03 12:53 | ||||
| Reporter | Themoulos | ||||||||
| Assigned To | caseydk | ||||||||
| Priority | urgent | Severity | major | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Product Version | |||||||||
| Target Version | Fixed in Version | ||||||||
| Summary | 0001695: Security Issue in Search | ||||||||
| Description | in "search", whether "Smart" or not, if you enter a keyword, the user gets a list of all items that contain the keyword, even if he has no right to view them. Yes, if he clicks on the link, he cannot view the content, but still he can see, for example, the title of the tasks for projects and companies he has no right to know that they existed... This is also valid for version 3.4 pre. For my case, this is considered a major security flaw and for the time being I have hidden the "search" textbox completely, till a solution is found. | ||||||||
| Steps To Reproduce | Enter a keyword in search... | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
|
Themoulos (reporter) 2016-07-17 11:56 |
checkModuleItem_load function must be copy-pasted in cleanup_functions.php |
|
caseydk (administrator) 2016-12-27 20:16 |
Resolved in the v3.4 development branch: https://github.com/web2project/web2project/commit/0b4520acc6110e310db1af7cff05aefc6b7b47fd |
|
caseydk (administrator) 2019-01-03 12:53 |
In the 31 Dec 2018 release: http://docs.web2project.net/release-notes/3.4.html |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-06-14 02:45 | Themoulos | New Issue | |
| 2016-07-17 11:51 | Themoulos | File Added: smartsearch.class.php | |
| 2016-07-17 11:54 | Themoulos | File Added: checkModuleItem_load.php | |
| 2016-07-17 11:56 | Themoulos | Note Added: 0003787 | |
| 2016-12-26 23:34 | caseydk | Project | v3.3 Release => v3.4 Release (Current) |
| 2016-12-27 20:16 | caseydk | Assigned To | => caseydk |
| 2016-12-27 20:16 | caseydk | Status | new => resolved |
| 2016-12-27 20:16 | caseydk | Resolution | open => fixed |
| 2016-12-27 20:16 | caseydk | Note Added: 0003793 | |
| 2019-01-03 12:53 | caseydk | Note Added: 0003958 | |
| 2019-01-03 12:53 | caseydk | Status | resolved => closed |
| Issue History |