XenForo
Administrative
- Thread starter
- Admin
- #1
I've noticed that when a post is submitted with an attachment_hash present, no validation is performed to check that the hash was generated for the same content-editor, or worse yet, even the same user account.
In the worst case, although highly unlikely, this can allow a user to "steal" attachments that were uploaded by another user and associate them to their post first (either they know the hash or they guessed the hash).
An easier example: a user with access to multiple accounts can...
Read more
ادامه مطلب...
In the worst case, although highly unlikely, this can allow a user to "steal" attachments that were uploaded by another user and associate them to their post first (either they know the hash or they guessed the hash).
An easier example: a user with access to multiple accounts can...
Read more
ادامه مطلب...