SECUREDROP = 0.3 – Possible Backdoor and Privileges Escalation by Unauth User (seclists.org) 5 points by jmedwards 11y ago ↗ HN
[–] fabulist 11y ago ↗ Relevant portion of the rant: File /securedrop/journalist.py, lines 125-128, missing @admin_required decorator 125 @app.route('/admin/add', methods=3D('GET', 'POST')) 126 def admin_add_user(): 127 # TODO: process form submission 128 return render_template("admin_add_user.html") Ouch!
2 comments
[ 3.1 ms ] story [ 11.6 ms ] thread