[ZendTo] Re: Using a foreign ZendTo-Server as a file hoster
John Thurston
john.thurston at alaska.gov
Thu Sep 18 20:26:31 BST 2014
On 9/17/2014 11:43 AM, Scheidt, Stefan wrote:
> Hi!
>
> I think I just found a serious flaw in the default templates shipped
> with ZendTo.
>
> If you upload a file as an unauthorized user, the claimID and
> claimPasscode are included as hidden fields in the "Drop-Off Summary"
> page as a part of the "deleteDropoff" form, even if you don't have
> the permission to delete the DropOff.
- snip -
> Can anybody confirm this behaviour or prove me wrong?
I have confirmed this behavior in my 4.11 installation.
Next I will confirm your proposed modification to the behavior.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska
More information about the ZendTo
mailing list