Details
-
Bug
-
Resolution: Answered
-
Medium
-
2.4.0, 2.7.12
-
None
Description
There are some resources exposed in FeCru where depending on their existence user may get 403 or 404 http response code depending on the existence of the resource. Because the permission check is done earlier than existence check, server may leak the existence of particular resource to the requestor, even when the requestor doesn't have permission to access that resource.
Current behaviour seems more in line with definitions of the HTTP 403 and 404 status codes (see RFC 2616), but allows information leak.