Hello,
I'd like to clarify how to best report security issues where unauthenticated users (simple visitors) can access files and data at a specific URL, withtout any other action than clicking on a link. My recent reports were rejected as "Cannot reproduce"' whereas a click on the provided link shows the issue, typically a database dump or an index listing with public documents in it. However several of my reports were rejected without enough details to understand what I may do incorrectly. For example see submission 1202323.
I seem to understand, and many of my previous reports were classified as such without being rejected, that they fall under the category "Improper Access Control", or Improper Privilege Management which is not offered here ?
I also cannot seem to find again the submission details once it is in "Rejected" status ? Annoying to have to recreate it all over again.
Thank you for that site and your replies..
Reporting publicly accessible data : IAC ?
Re: Reporting publicly accessible data : IAC ?
Directory listings is not iac
Re: Reporting publicly accessible data : IAC ?
Hello,
So how would you qualify for example a list of confidential resumes from applicants that can be found and read by anobody,
or a database dump with all confidential site and credentials in it ? How should a researcher report those ?
Thanks.
So how would you qualify for example a list of confidential resumes from applicants that can be found and read by anobody,
or a database dump with all confidential site and credentials in it ? How should a researcher report those ?
Thanks.
Re: Reporting publicly accessible data : IAC ?
list of resumes - gdpr
database dump - iac
database dump - iac
Who is online
Users browsing this forum: No registered users and 2 guests