alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	70	Closed	~~ClickJacking Leads to deletion of user profile~~	elit3pwner	Task Description Description: There is clickjacking vulnerability at https://admin.alwaysdata.com/admin/details/ endpoint. And, for deleting a profile, we just need two clicks. Steps to reproduce: 1) Open your browser and search for https://admin.alwaysdata.com/admin/details/ 2) create an html file that overlays delete this profile icon and then the submit button. Impact: Admin's account can be deleted in two clicks.
	69	Closed	~~EXIF metadata not stripped~~	elit3pwner	Task Description Summary: When uploading images in ticket option, the EXIF metadata is not removed or changed in any way. Description: When answering in the ticket, you can upload a file, and if you upload an image with EXIF metadata on it, it isn't stripped. This can lead to disclosure of location where photo was taken or other personal information by the photo uploader if their group is public, as anyone can download the logo and check the metadata. Steps To Reproduce: 1) Create a ticket. 2) Upload an image with exif metadata. 3) Now, download the same image and check the metadata. Link to POC: https://drive.google.com/file/d/1KflN8xTcF6Gq-0x1wo-n65KkT9ScNHMl/view?usp=sharing

Closed

~~ClickJacking Leads to deletion of user profile~~

Task Description

Description: There is clickjacking vulnerability at https://admin.alwaysdata.com/admin/details/ endpoint. And, for deleting a profile, we just need two clicks.

Steps to reproduce:
1) Open your browser and search for https://admin.alwaysdata.com/admin/details/ 2) create an html file that overlays delete this profile icon and then the submit button.

Impact: Admin's account can be deleted in two clicks.

Closed

~~EXIF metadata not stripped~~

elit3pwner

Task Description

Summary: When uploading images in ticket option, the EXIF metadata is not removed or changed in any way.
Description: When answering in the ticket, you can upload a file, and if you upload an image with EXIF metadata on it, it isn't stripped. This can lead to disclosure of location where photo was taken or other personal information by the photo uploader if their group is public, as anyone can download the logo and check the metadata.
Steps To Reproduce:
1) Create a ticket.
2) Upload an image with exif metadata.
3) Now, download the same image and check the metadata.

Link to POC: https://drive.google.com/file/d/1KflN8xTcF6Gq-0x1wo-n65KkT9ScNHMl/view?usp=sharing

Showing tasks 1 - 2 of 2 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task