2008-12-12 22:04:34 |
papukaija |
bug |
|
|
added bug |
2008-12-12 22:18:12 |
papukaija |
description |
For some reason I am able to display (and edit, but not tested) the editlocation-page without the forbidden message if the user in question hasn't set his/her location and timezone (with https://launchpad.net/~user-with-no-locations-set/+editlocation ).
Users who have set their location aren't affected by this bug, see for example https://launchpad.net/~mvo/+editlocation .
This bug is a security vulnerability or atleast someone could abuse the editlocation-page.
I can give an example page where this bug happens if needed. |
For some reason I am able to display (and edit, but not tested) the editlocation-page without the forbidden message if the user in question hasn't set his/her location and timezone (with https://launchpad.net/~user-with-no-locations-set/+editlocation ).
This bug is a security vulnerability or atleast someone could abuse the editlocation-page.
Here are two working examples:
https://launchpad.net/~peruus/+editlocation
https://launchpad.net/~dpgravjob/+editlocation
--> Users who have set their location aren't affected by this bug, see for example:
https://launchpad.net/~mvo/+editlocation |
|
2008-12-12 22:21:40 |
papukaija |
description |
For some reason I am able to display (and edit, but not tested) the editlocation-page without the forbidden message if the user in question hasn't set his/her location and timezone (with https://launchpad.net/~user-with-no-locations-set/+editlocation ).
This bug is a security vulnerability or atleast someone could abuse the editlocation-page.
Here are two working examples:
https://launchpad.net/~peruus/+editlocation
https://launchpad.net/~dpgravjob/+editlocation
--> Users who have set their location aren't affected by this bug, see for example:
https://launchpad.net/~mvo/+editlocation |
For some reason I am able to display (and edit, but not tested) the editlocation-page without the forbidden message if I'm logged in and if the user in question hasn't set his/her location and timezone (with https://launchpad.net/~user-with-no-locations-set/+editlocation ).
This bug is a security vulnerability or atleast someone could abuse the editlocation-page.
Here are two working examples:
https://launchpad.net/~peruus/+editlocation
https://launchpad.net/~dpgravjob/+editlocation
--> Users who have set their location aren't affected by this bug, see for example:
https://launchpad.net/~mvo/+editlocation |
|
2008-12-16 18:13:16 |
Ursula Junque |
marked as duplicate |
|
262193 |
|
2012-05-09 21:27:31 |
Curtis Hovey |
visibility |
private |
public |
|
2012-05-09 21:27:31 |
Curtis Hovey |
security vulnerability |
yes |
no |
|
2012-08-09 23:51:55 |
William Grant |
removed subscriber Launchpad Security |
|
|
|