[C-3] IDOR — vote/react endpoints skip forum visibility check

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 2 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: CRITICAL

Location: src/Controllers/ForumController.php:1048-1102

Bug: vote() and react() load the post, but never call Forum::canView($thread['forum_id'], $user, $role).

Fix: Resolve thread→forum_id and gate both actions.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:26pm

Resolved.

Added Forum::canView + !Forum::isPreviewOnly guards to both AJAX endpoints in src/Controllers/ForumController.php:

  • vote() — resolves the post's thread, checks visibility of the parent forum, returns 404 on failure before calling ForumVote::cast.
  • react() — same resolve + visibility gate before calling PostReaction::toggle. Previously react() also didn't findById the post at all.

Both endpoints return a 404 JSON shape that matches existing patterns so the client UI degrades gracefully.

Locking this thread.

Related Discussions

[H-16] 2FA verify skips ban/suspension/email-verified checks
Security Issues · 0 replies · 0 views
[H-9] Crosspost skips target forum access control
Security Issues · 0 replies · 0 views
[C-4] IDOR — editPost/updatePost/deletePost skip forum visibility
Security Issues · 0 replies · 1 views
The maintenance task everyone skips
Printer Maintenance · 0 replies · 0 views
Electrolytic caps worth buying, and which ones to skip
Capacitors & Power · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy