[Interchange-bugs] [Bug 167] New - do_view without security check
bugzilla-daemon@localhost.akopia.com
bugzilla-daemon@localhost.akopia.com
Wed, 11 Apr 2001 18:44:27 -0400
http://developer.akopia.com/bugs/show_bug.cgi?id=167
*** shadow/167 Wed Apr 11 18:44:27 2001
--- shadow/167.tmp.12624 Wed Apr 11 18:44:27 2001
***************
*** 0 ****
--- 1,23 ----
+ Bug#: 167
+ Product: Interchange
+ Version: 4.6.4
+ Platform: PC
+ OS/Version: Linux
+ Status: NEW
+ Resolution:
+ Severity: normal
+ Priority: P3
+ Component: UI
+ AssignedTo: __UNKNOWN__
+ ReportedBy: peasemj@bellatlantic.net
+ URL:
+ Cc:
+ Summary: do_view without security check
+
+ Found a bug in the admin UI, where someone with prying eyes, could see db files
+ if they wanted to.
+ have not tested this outside my environment.
+
+ If user accesses this url -> http://macheine.name.com/cgi-
+ bin/barry/admin/do_view?mv_arg=products/access.asc they see my user database.
+ WITHOUT LOGIN!