Contents of shoutbox can be accessed without logging in

Open hauntedrows opened this issue 1 year ago • 1 comments

It appears that the shoutbox.php URI is not secured by a check to ensure that the user is logged in.

By editing the URL, any user can bring up the current contents of the tracker's shoutbox in a browser window.

This would appear to be a serious security hole.

Feb 11 '24 12:02 hauntedrows

Fixed, see here

Feb 20 '24 03:02 xiaomlove