Anti Räis
Anti Räis
Logged in user (editor) can change password for other users or delete them. [Example attacks] http://localhost/system/admin/controllers/password.php POST:p=password&i=<user id> // Delete user http://localhost/system/admin/controllers/users.php?del=<user id>
Logged in user can inject attack code and update, delete or modify others credentials, session or any other data. [Example attacks] //Edit text input - bad tags cause script tag...
Logged in user (editor) can list folder content with URL traversal. [Example attacks] [Notes: List shows up style="display:none", change it to see the content] - http://localhost/system/admin/editor/filemgr/modules/folders.php POST:dir=../ - http://localhost/system/admin/editor/filemgr/modules/files.php?dir=..%2f..%2f..%2f..%2fetc%2f
Fix for issue #230.
As described in [logging documentation for libraries](https://docs.python.org/3/howto/logging.html#configuring-logging-for-a-library), it is not recommended to use anything else than `logging.NullHandler()` when setting up logging. It is set up in [errors.py:14](https://github.com/pmaupin/pdfrw/blob/6c892160e7e976b243db0c12c3e56ed8c78afc5a/pdfrw/errors.py#L14) file and overwrites...
Document the preferred process to report and resolve security vulnerabilities. My proposal is to use specific email address for initial communications (e.g. [email protected]) so that core developers and security researches...
Additional GPS information aids project managers to assure that the work was done in specific location, e.g construction workers. It would be nice to also see the map with a...