GHT2-004 --- Insecure ACL and Leaking of Reports
4.4 GHT2-004 --- Insecure ACL and Leaking of Reports
Vulnerability ID: GHT2-004
Retest status:
Vulnerability type: Insecure ACL
Threat level: Elevated
Description: {#description-3 .title-findingsection}
Reports are stored in
https://{website}/media/grades/{randomnumber}/{reportname}.csv
and can
be downloaded by anyone that knows the URL.
Technical description: {#technical-description-3 .title-findingsection}
Example URL:
Output showing Personally Identifiable Information (PII):
Example of the URL leaked to an external system:
This means that anyone that has access to the Livestats system is able to read the contents of the report.
Impact: {#impact-3 .title-findingsection}
- Anyone who knows the URL (e.g. leaked through logs, history on shared computers) is able to access the file containing PII.
Recommendation: {#recommendation-3 .title-findingsection}
- Only allow authorized users to download reports and deny access to all others.