Defect #14650
closed
Security vulnerability in Redmine REST API
0%
Description
If I login as a non-administrator and try -
I get a 403 error saying "You are not authorized to access this page".
However, logged in as the same user, I can do
http://localhost:3000/users/1.xml
http://localhost:3000/users/2.xml
...
...
...
http://localhost:3000/users/n.xml
And I can access all the users, including their api keys.
Updated by
Updated by Jan from Planio www.plan.io almost 9 years ago
- Status changed from New to Closed
- Private changed from Yes to No
- Resolution set to Invalid
Wesley Falcao wrote:
If I login as a non-administrator and try -
I get a 403 error saying "You are not authorized to access this page".
That is intended. There is no public user list for non-admins. /users is the regular admin's user view. This might be seen as a missing feature but not a security problem.
However, logged in as the same user, I can do
http://localhost:3000/users/1.xml
http://localhost:3000/users/2.xml
...
...
...
http://localhost:3000/users/n.xml
This also works "as intended". Users are also able to use the non-API version of these links to see the same details:
Users can define however in their My Account page if their email address may be shown on these pages or not.
And I can access all the users, including their api keys.
Nobody here was able to reproduce this particular claim. API keys are only shown if you are in fact admin or if you are looking at your own user.