HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Search
-
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
@Lincoln That's not the case. Both User Name and Email are completely unique. I reproduced the issue for the first time, and, for some reason, User ID 2 gets overwritten with new data. Before this happens, the existing Users are the following: - Admin. ID: 1, email: admin@xyz.com - Steve. ID: 2, email: steve@xyz.com -… -
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
Bingo! The ForeignUserKey is the culprit. The master website passes 3 as the User ID (which is the site's internal User ID). That matches an existing User, which is overwritten. Why does it happen now, and it didn't happen before? The master website has been moved to another server and reinstalled completely from scratch.… -
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
-
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
Correction to my previous post It seems that Vanilla already distinguishes unique IDs coming from different sites. While querying the UserAuthentication table, I didn't select all fields and I just spotted ProviderID. This is the ID of the Client which sends the JSON, and I presume that Vanilla uses the pair… -
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
-
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
My User ID (Super Admin) is 1, and the Admin column in User table is zero for the new User. Tables haven't been touched by anyone except Vanilla itself. One more interesting finding, which clarifies what may have happened, but not why: I have some Users created by JsConnect with ID 4, 5 and 6 (6 was the highest User ID in… -
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
I think that HalfCat meant that different websites should provide IDs that are unique amongst them, which is not easy (and, often, not possible). What I was not aware of was that the ID passed by a Client was used to find a User in Vanilla. Since JsConnect requires User Name and Email, I thought they were the ones used to… -
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
-
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
-
Re: Warning: Potentially serious security issue if you use jsConnect and reinstall your site.
Since Vanilla allows multiple clients, it's its duty to distinguish the IDs received from one or the other client, without mixing things up. In fact, this is what it does (I just didn't notice the ProviderKey field, when I wrote my previous post). I totally agree with this point, you cannot have security based on external…
10 results