Improper file deletion in francoisjacquet/rosariosis

Valid

Reported on

Apr 30th 2022


Description

When a user created with a profile picture and deleted after some time the profile picture of that user is still remain on the server even after deleting the user's account

Proof of Concept

  1. Create a new student with a profile picture
  2. Delete this user
  3. And visit this url https://www.rosariosis.org/demonstration/assets/StudentPhotos/2021/{userID of Deleted user}.jpg

Remediation:- Delete the user's profile image rather than unlinking it

Impact

Even after deleting the user's profile image remain on server which impact on user's privacy.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
François
a month ago

Maintainer


Hello @jo125ker

Thank you for your report. Please note photos file name now has a random string so it cannot be predicted and accessed publicly. https://github.com/francoisjacquet/rosariosis/commit/f8b9f81355cff9f7967eb7f3a8a0b0d3b13e0dcb

François Jacquet validated this vulnerability a month ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on 59d8d0 a month ago
François Jacquet has been awarded the fix bounty
to join this conversation