2014-06-29, 03:04 PM
(This post was last modified: 2014-07-03, 03:01 PM by Destroy666.)
MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37
Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.
Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.
Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37
Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.
Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.
Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button