Defect #10044: Security bug on Atom feed access - Redmine

Actions

Copy link

Defect #10044

closed

Security bug on Atom feed access

Added by Oguzhan Eren over 13 years ago. Updated over 12 years ago.

Status:

Closed

Priority:

Urgent

Assignee:

Category:

Feeds

Target version:

Start date:

Due date:

% Done:

Estimated time:

Resolution:

Cant reproduce

Affected version:

1.1.3

Description

"http://www.redmine.org/projects/redmine/activity.atom?key=7eebd204d56e0e2fb7244fab3e74bb5510bc0a02&show_messages=1" redmine project atom feed (I can access to forum activities without authorize)

"http://www.redmine.org/projects/secretproject/activity.atom?key=7eebd204d56e0e2fb7244fab3e74bb5510bc0a02&show_messages=1" and I can access a secretproject forum activities without authorize if I found project identifier: secretproject

suggestion to fix: each project must be use different atom key.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Redmine

Custom queries

Defect #10044

Security bug on Atom feed access

Updated by Oguzhan Eren over 13 years ago

Updated by Jean-Philippe Lang over 13 years ago

Updated by Jan Niggemann (redmine.org team member) over 12 years ago

Updated by Jan Niggemann (redmine.org team member) over 12 years ago