[C-4] IDOR — editPost/updatePost/deletePost skip forum visibility

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: CRITICAL

Location: src/Controllers/ForumController.php:1106-1231

Bug: Author/mod check runs, but no Forum::canView — a post author removed from a private forum can still edit/delete.

Fix: Add forum-visibility gate after thread lookup.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:26pm

Resolved.

Added Forum::canView + !Forum::isPreviewOnly guards after thread lookup to all three handlers in src/Controllers/ForumController.php:

  • deletePost()
  • editPost()
  • updatePost()

A post author who was later removed from the private forum can no longer edit or delete their old posts. Moderators from unrelated forums are also now confined to their own forum's scope through the same gate.

Returns 404 on failure (rather than a flash redirect) so the path no longer leaks "this post exists" to an unauthorized caller.

Locking this thread.

Related Discussions

New-user onboarding: pick retro platforms, auto-subscribe to those forums
Important Alerts · 0 replies · 0 views
Forum thread rows: show last-reply time next to created date
Important Alerts · 0 replies · 2 views
Added composite indexes on forum_posts, file_uploads, messages
Important Alerts · 0 replies · 1 views
[forum.post_purged] Purged post #151 in thread #163
Admin System Log Files · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #163: New Features: SID Music Player & Expanded Disk Image Support
Admin System Log Files · 0 replies · 3 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy