3 réponses à ce sujet

[Baaleos]

Hi All,
Is Rolo Kipp around here?

I found a serious security flaw at NeverwinterVault.org - I think hes the owner, isnt he?

I posted the details of the bug / flaw to his user Account on that site - but got no response - just checked the bug is still there.

Its a big bug - lets anyone get partial administrative access to the vault - I was able to increase my karma points by 150 - just to test it out etc.
It also allows anyone the ability to mess with / tamper projects, articles and resources uploaded to the site.


Not sure if it exists in all drupal sites or just the vault.

If someone can get him to check his vault pvts - he should get the details there.

[henesua]

I'll poke him

 

thanks.

 

--edit: caught him. he doesn't have time but he forwarded the communication on to some others who have code skillz and volunteer at the vault.

[Fester Pot]

You're a Developer, that's why Baaleos. Certain administrative functions are available to those with Developer access, even though a Developer does not receive the admin menu that is displayed on every screen like those with Administrative access do. You can give yourself all the points you want if you'd like, or go into the panel however it is you stumbled upon it and explore freely.

 

Whomever gave you Developer access probably didn't pass along the power such access offers, but they must trust you enough, and so I have no reason to worry. ... or do i? Dun-dun-dun!

 

FP!

[rjshae]