Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Few issues with the platform - more testing notes #153

Open
skiddie0057 opened this issue May 12, 2023 · 0 comments
Open

Few issues with the platform - more testing notes #153

skiddie0057 opened this issue May 12, 2023 · 0 comments

Comments

@skiddie0057
Copy link

skiddie0057 commented May 12, 2023

Upon testing i've noticed a few more things.

1.) Most error handling doesn't show custom error pages, instead it shows a part of code as well as what framework/library it uses trough source code. Ex. (when logged in access this) https://cerebratepp.melicertes.eu/users/login?redirect=abc
This might be resolved by turning debug mode to Off, but it looks like issue is a little bit larger - a lot of errors appear on places they shouldnt (from permissions to general usage of the platform, some are listed here, some previously submitted)

2.) A lot of operations that should work for my user give errors. ex. when pressing "Audit changes" on my user id get "Error while loading the modal Network response was not ok. Method Not Allowed", or editing some things about my own user or even organization and I'm the only member

3.) The download button on the organization search seems to download everything regardless of the search query? I've ran an empty query and it downloaded a json file with a lot of results.

4.) When searching, the popdown is huge, so are the search results - PGP keys widen the whole website, id recomment just displaying first ex. 50 characters maybe, yet searching everything

5.) I've added two mailing lists, both are throwaway entries, none of them are visible. Bug: Mailing lists arent visible.

6.) https://cerebratepp.melicertes.eu/user-settings/index?Users.id=87# As reported previously the user ID for the request is 0 which is incorrect, it should be user's ID, that might be why it doesn't allow for some changes. This could already be fixed tho, please check all edits (especially the one for the Table - JSON formatted one)

7.) Tagging organizations - if there is a single qoute in a tag for organization the tag cannot be deleted : https://cerebratepp.melicertes.eu/organisations/view/702 ; I didn't want to poke around more with this so I just submitted this as a bug. I assume there might be an ability to either affect the code (cause errors, inject code maybe) or the database. Please check and fix

8.) You can input anything into the UUID field ; it has a string limit ; but it allows any strings . Since it goes into the database and also gets reflected back this Could allow for SQLi or even XSS with enough efforts (output sanitization seems well done so far, but you never know - i didnt try testing the platform with tools like XSSer ; i havent tried specific WAF-evasive payloads either).

9.) It looks like if I create another user and give it all possible Meta fields meaning that user will get all the permissions ? It seems odd since i cant modify permissions for myself but I can for that other user. Also this could (if its giving permissions) give the user too much permissions. Im not sure tho, please investigate (and also should I be able to edit perms for myself?)

10.) There is no Clear filters button, every time I put some filters on i have to manually turn them off

11.) keycloak doesnt check if entry is an email when you click "Forgot password". It accepts basically any input - this is easily fixable yet could cause problems if it doesnt get fixed.

That would be all, thank you for reading :) I hope i helped

Kind regards,

F.O.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant