! Security- and Privacy Vulnerability found !
Quote from HA-Dani on October 25, 2022, 2:33 pmHello All,
We have noticed that the profiles of each user are accessible through the URL https://www.website.de/forum/profile/1/. If you replace the 1 by any number, you will find all registered users incl. profile.
This makes various attack scenarios conceivable. I don’t think that this is desired?Here is a suggestion for a solution:
Just replace the consecutive number with the hash value of the respective user name.
This is quite easy to implement and brings a lot in terms of security and data protection.Best regards, Daniel
Hello All,
We have noticed that the profiles of each user are accessible through the URL https://www.website.de/forum/profile/1/. If you replace the 1 by any number, you will find all registered users incl. profile.
This makes various attack scenarios conceivable. I don’t think that this is desired?
Here is a suggestion for a solution:
Just replace the consecutive number with the hash value of the respective user name.
This is quite easy to implement and brings a lot in terms of security and data protection.
Best regards, Daniel
Quote from Asgaros on March 7, 2023, 3:51 amHello @ha-dani
This is not a security vulnerability. Users are visible via the members list. If you dont want to reveal your users to the public, you can disable this features and/or hide profiles from logged-out users.
Hello @ha-dani
This is not a security vulnerability. Users are visible via the members list. If you dont want to reveal your users to the public, you can disable this features and/or hide profiles from logged-out users.