Dre (exor674) wrote in lj_dev,
Dre
exor674
lj_dev

Bug in /customize/advanced/styles.bml when using canview.

This will likely affect everyone with a small number of webslaves.

If you happen to get assigned to the same webslave and process of somebody that
recently used canview on /customize/advanced/styles.bml and attempt to save your
style, you will get redirected to a url with ?user=canview_victim

This does not allow the user without canview to actually view canview_victim's
styles, but still leaks information that canview was used, and whom it was used
on.

Patch can be found here:
http://code.livejournal.org/trac/livejournal/changeset/15078/trunk/htdocs/customize/advanced/styles.bml
Tags: *announce, bugs, bugs: privacy, server, server: privacy, server: privs
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments