-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Different behaviors while directly visit project URLs #1284
Comments
You're correct, thanks for bringing this up. I believe it's a tradeoff we're doing right now, to ease the life of the users. Some more context:
Mitigations:
What do you think? |
We want to display the authentication page in all cases, and ideally merge the project creation form with the one from the homepage. |
Sorry for the late reply, that would be better in term of security, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
An attacker could know what are the projects exist by simply brute-force checking
localhost:8080/testproject
. If the returned page is authenticator then he knows the project exist as if the project does not exist, the returned page will be create project page. It also applies to the user/bill index. The returned page are different and the index is easy to guess.All those trials does need any login/priveledge at all.
The text was updated successfully, but these errors were encountered: