Anonymous Login
2019-04-24 18:50 PDT

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001695v3.4 Release (Current)Smartsearchpublic2019-01-03 12:53
ReporterThemoulos 
Assigned Tocaseydk 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0001695: Security Issue in Search
Descriptionin "search", whether "Smart" or not, if you enter a keyword, the user gets a list of all items that contain the keyword, even if he has no right to view them.

Yes, if he clicks on the link, he cannot view the content, but still he can see, for example, the title of the tasks for projects and companies he has no right to know that they existed...

This is also valid for version 3.4 pre.

For my case, this is considered a major security flaw and for the time being I have hidden the "search" textbox completely, till a solution is found.
Steps To ReproduceEnter a keyword in search...
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0003787

Themoulos (reporter)

checkModuleItem_load function must be copy-pasted in cleanup_functions.php

~0003793

caseydk (administrator)

Resolved in the v3.4 development branch:

https://github.com/web2project/web2project/commit/0b4520acc6110e310db1af7cff05aefc6b7b47fd

~0003958

caseydk (administrator)

In the 31 Dec 2018 release: http://docs.web2project.net/release-notes/3.4.html
+Notes

-Issue History
Date Modified Username Field Change
2016-06-14 02:45 Themoulos New Issue
2016-07-17 11:51 Themoulos File Added: smartsearch.class.php
2016-07-17 11:54 Themoulos File Added: checkModuleItem_load.php
2016-07-17 11:56 Themoulos Note Added: 0003787
2016-12-26 23:34 caseydk Project v3.3 Release => v3.4 Release (Current)
2016-12-27 20:16 caseydk Assigned To => caseydk
2016-12-27 20:16 caseydk Status new => resolved
2016-12-27 20:16 caseydk Resolution open => fixed
2016-12-27 20:16 caseydk Note Added: 0003793
2019-01-03 12:53 caseydk Note Added: 0003958
2019-01-03 12:53 caseydk Status resolved => closed
+Issue History