Dashboard

Other

Severity: Informational
Bug ID: 706
Researcher: zediwon
Status: Disclosed
Submitted: 09/28/2015

Description:

Hi, it is possible to know bugs reported by other researchers title, affected parameter and url in simple a simple bug.

Affected URL:

https://crowdshield.com/report_bug.php

Affected Params:

all

Bug Evidence:

Scenario:

    Researcher uses a shared computer.
    Researcher submits a report.
    Researcher logs out.
    Another person logs in, on another account.
    Another person submits a report.
    When entering a title, the title of the previous report submitted by the researcher is shown in autocompletion box.

This gives away the title, report url & affected parameter of the bug to other users of the web browser, even though the researcher logged out properly.


Bug Recommendation:

Simple, put autocomplete="off" for <input type parameters.

Direct Chat

5
zediwon 09/28/2015
Message User Image
submitted a Other bug to CrowdShield
CrowdShield 09/28/2015
Message User Image
Fixed this even though the severity is quite low. Thanks for reporting.
CrowdShield 09/28/2015
Message User Image
awarded 10 to zediwon for a Other bug
CrowdShield 09/28/2015
Message User Image
closed a Other bug submitted by zediwon
CrowdShield 09/28/2015
Message User Image
disclosed a Other bug submitted by zediwon

Pending Bugs

ID Severity Vulnerability User Date Status
692High Authentication Bypass dia2diab 07/01/2015 Disclosed
778High Privilege Escalation poseidon 08/24/2018 Disclosed
641High Privilege Escalation daksh 12/05/2014 Disclosed
744High Privilege Escalation realn0j 09/06/2017 Disclosed
670High Remote Code Execution zoczus 05/06/2015 Disclosed
593Medium Buffer Overflow rockcena 12/01/2014 Disclosed
578Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
580Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
659Medium Reflected Cross Site Scripting pratap 12/16/2014 Disclosed
742Low Application Errors guifre 07/29/2017 Disclosed
724Low Session Security and Cookies testingcs 04/24/2016 Disclosed
706Informational Other zediwon 09/28/2015 Disclosed
707Informational Other behroz 10/06/2015 Disclosed