Home
Forums
XenForo bug reports
Bug reports
CSS for disabled styles can be accessed by everyone

Reply to thread

Message

There are a couple issues at play:
css.php deliberately run in the context that it is always guest access, thus allowing aggressive caching to be shared for all users
The "user selectable" flag on a style is not actually a "disabled" flag.
css.php arguments are not fully signed to prevent tampering.
There hash passed in is about the template list, and doesn't include the style & language ids.

[QUOTE="Xon, post: 1590918, member: 71874"] There are a couple issues at play: [LIST] [*]css.php deliberately run in the context that it is always guest access, thus allowing aggressive caching to be shared for all users [*]The "user selectable" flag on a style is not actually a "disabled" flag. [*]css.php arguments are not fully signed to prevent tampering. [LIST] [*]There hash passed in is about the template list, and doesn't include the style & language ids. [/LIST] [/LIST] [/QUOTE]

Verification

Home
Forums
XenForo bug reports
Bug reports
CSS for disabled styles can be accessed by everyone

Reply to thread

We value your privacy