Welcome to Geeklog Wednesday, November 22 2017 @ 01:44 pm EST

Potential Security Flaw

  • Contributed by:
  • Views: 6,136
Security A friend of mine signed up and I forgot to assign him to a private group I created called "friends" on my geeklog.

He wanted to view the hidden stories but he couldn't... he found a way to get to the security settings by clicking on the "mail story" button.

Well this confused me because he wasn't supposed to be able to see the story anyway to mail it.

I had only checked the site as an anonymous user and it's true that when I was anonymous I couldn't see the topic listed in the "sections" list nor could I see the story listed on the front page.

Yet when I created a simple user account I could suddenly read the lead section of the story and have access to e-mail the entire story to myself. If I click on the "read more" link I am told that I am not a member of the site, although technically I am a member since I created an account.

Sort of nit picky on that part but the security flaw is sort of an issue.

I think what may be happening, and I can't come up with a reason why it would happen, is that the story is being saved with the "member" box checked (even though I know I physically deselected the box when I submitted the story).

I've had to go back and remove the check from the "members" box to hide the story from regular members.

When I look at the settings for the "topic" called "friends" it shows that only "group" members can get in to it, indeed, it doesn't show up as a topic under "sections" for a regular logged in user.

Is anyone following this? LOL

Thanks!