Improper file deletion in francoisjacquet/rosariosis

Valid

Reported on

Apr 30th 2022

Description

When a user created with a profile picture and deleted after some time the profile picture of that user is still remain on the server even after deleting the user's account

Proof of Concept

Create a new student with a profile picture
Delete this user
And visit this url https://www.rosariosis.org/demonstration/assets/StudentPhotos/2021/{userID of Deleted user}.jpg

Remediation:- Delete the user's profile image rather than unlinking it

Impact

Even after deleting the user's profile image remain on server which impact on user's privacy.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago

François Jacquet François

commented a year ago

Maintainer

Hello @jo125ker

Thank you for your report. Please note photos file name now has a random string so it cannot be predicted and accessed publicly. https://github.com/francoisjacquet/rosariosis/commit/f8b9f81355cff9f7967eb7f3a8a0b0d3b13e0dcb

François Jacquet validated this vulnerability a year ago

Distorted_Hacker has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet marked this as fixed in 9.0 with commit 59d8d0 a year ago

François Jacquet has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation