Possible security issue with packages
jeffmartin
Registered Users Posts: 1 Beginner grinner
support dudes-
I'm not sure if I had a password cached but you might want your QA team to check this out. If this is a valid bug, then it's a pretty bad one.
Setup several password restricted galleries using different passwords. Create a package and add those galleries to be able to use that package. Log out from owner access. Go to one of the galleries and enter the password. Select a photo, click buy and select the package you just created. Now go to the bottom part of the screen and change gallery to one of the galleries that your user _shouldn't_ have the password to. You do not get prompted for a password and it just lets you select those photos and presumably print them.
Like I said, I haven't gone to much effort to validate this bug myself so it may be invalid....but I doubt it.
thanks,
-Jeff
I'm not sure if I had a password cached but you might want your QA team to check this out. If this is a valid bug, then it's a pretty bad one.
Setup several password restricted galleries using different passwords. Create a package and add those galleries to be able to use that package. Log out from owner access. Go to one of the galleries and enter the password. Select a photo, click buy and select the package you just created. Now go to the bottom part of the screen and change gallery to one of the galleries that your user _shouldn't_ have the password to. You do not get prompted for a password and it just lets you select those photos and presumably print them.
Like I said, I haven't gone to much effort to validate this bug myself so it may be invalid....but I doubt it.
thanks,
-Jeff
0
Comments
The default behavior of packages is that they do have access to passworded galleries. We are discussing alternatives for this internally. Thanks for the input.
--Doc
http://help.smugmug.com
Jason Scott Photography | Blog | FB | Twitter | Google+ | Tumblr | Instagram | YouTube