Blog Documentation Try Vanilla Cloud
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Users can see "most recent" activity from categories they don't have access to

Wilson29thIDWilson29thID New
in Vanilla 3.x Help

After upgrading Vanilla to v3.3 (from 2.3), users can see "Most recent" activity from categories they don't have access to: specifically the post title/author/timestamp. This appears in the parent category's "Most recent" post area.

I posted a bug report but haven't heard back yet so thought I'd mention it here in case any other users have run into the issue.

Steps to reproduce the behavior:

  1. Create a sub-category with custom permissions so only members of a certain role can see it.
  2. While logged in as a member who is not of that role, look at the /categories page, at the parent category's "most recent" post area.

Screen recording from fresh install

Tagged:

Comments

  • Options
    charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited February 2020

    It seems valid, I'll take a look into how it's getting triaged for you. I will note that generally with security issues the place they get the most attention is on our hackerone bounty program. We have certain timelines for fast we triage things there, and if the issues is of certain severity we pay out bounties.

    https://hackerone.com/vanilla

    I'm not sure if you are eligible for a bounty when they are publicly disclosed though.


    In any case I'll try and get a response this week.

  • Options
    Wilson29thIDWilson29thID New

    Oh wow, I didn't have this as a "security issue" in my mind! Frankly I assumed I was configuring something wrong. Would it be helpful for me to post it on the bug bounty as well?

  • Options
    Wilson29thIDWilson29thID New

    Hi, has there been any update on this security issue?

  • Options
    Wilson29thIDWilson29thID New

    Hey, it’s been a year since I reported this security issue. Has there been any investigation?

  • Options
    daocaoitdaocaoit New

    maybe you can fix it like this , but if the last discussion is in private category , the most recent will be hidden.

    private function gatherLastIDs($categoryTree, &$result = null) {
        if ($result === null) {
            $result = [];
        }
        
        foreach ($categoryTree as $category) {
            if($category['LastCategoryID'] == $category['CategoryID'])
            {
                $result["{$category['LastDiscussionID']}/{$category['LastCommentID']}"] = [
                    'DiscussionID' => $category['LastDiscussionID'],
                    'CommentID' => $category['LastCommentID']
                ];
            }
            

            if (!empty($category['Children'])) {
                $this->gatherLastIDs($category['Children'], $result);
            }
        }
    }

    or you can get session user info

    Gdn::session()->User

    you can check the discussion view permission of special category

Sign In or Register to comment.