Reporting publicly accessible data : IAC ?
Posted: Fri Aug 07, 2020 12:53 pm
Hello,
I'd like to clarify how to best report security issues where unauthenticated users (simple visitors) can access files and data at a specific URL, withtout any other action than clicking on a link. My recent reports were rejected as "Cannot reproduce"' whereas a click on the provided link shows the issue, typically a database dump or an index listing with public documents in it. However several of my reports were rejected without enough details to understand what I may do incorrectly. For example see submission 1202323.
I seem to understand, and many of my previous reports were classified as such without being rejected, that they fall under the category "Improper Access Control", or Improper Privilege Management which is not offered here ?
I also cannot seem to find again the submission details once it is in "Rejected" status ? Annoying to have to recreate it all over again.
Thank you for that site and your replies..
I'd like to clarify how to best report security issues where unauthenticated users (simple visitors) can access files and data at a specific URL, withtout any other action than clicking on a link. My recent reports were rejected as "Cannot reproduce"' whereas a click on the provided link shows the issue, typically a database dump or an index listing with public documents in it. However several of my reports were rejected without enough details to understand what I may do incorrectly. For example see submission 1202323.
I seem to understand, and many of my previous reports were classified as such without being rejected, that they fall under the category "Improper Access Control", or Improper Privilege Management which is not offered here ?
I also cannot seem to find again the submission details once it is in "Rejected" status ? Annoying to have to recreate it all over again.
Thank you for that site and your replies..