Defect #10044
closed
Security bug on Atom feed access
0%
Description
"http://www.redmine.org/projects/redmine/activity.atom?key=7eebd204d56e0e2fb7244fab3e74bb5510bc0a02&show_messages=1" redmine project atom feed (I can access to forum activities without authorize)
"http://www.redmine.org/projects/secretproject/activity.atom?key=7eebd204d56e0e2fb7244fab3e74bb5510bc0a02&show_messages=1" and I can access a secretproject forum activities without authorize if I found project identifier: secretproject
suggestion to fix: each project must be use different atom key.
Updated by
Updated by Jean-Philippe Lang over 13 years ago
- Resolution set to Cant reproduce
Can not reproduce. I get a 403 response when trying to access a feed of a private project when using an RSS key of a user that does not have access to this project.
Make sure you don't have a session open for an other user when you do the test.
Updated by Jan Niggemann (redmine.org team member) over 12 years ago
- Affected version (unused) set to 1.1.3
- Affected version set to 1.1.3
closing, no feedback since 1 year...
Updated by Jan Niggemann (redmine.org team member) over 12 years ago
- Status changed from New to Closed