Had something similar happen where I had access to the admin menu....
this post was submitted on 06 Mar 2024
6 points (87.5% liked)
Bug reports on any software
116 readers
2 users here now
When a bug tracker is inside the exclusive walled-gardens of MS Github or Gitlab.com, and you cannot or will not enter, where do you file your bug report? Here, of course. This is a refuge where you can report bugs that are otherwise unreportable due to technical or ethical constraints.
⚠of course there are no guarantees it will be seen by anyone relevant. Hopefully some kind souls will volunteer to proxy the reports.
founded 3 years ago
MODERATORS
You're on a different instance... can you describe what happened when it happened to you?
I was on a random page and when I selected a menu and one of the options was labelled admin.
It's gone now but was certainly a bit strange.
Very interesting, did it only last one page load?
Yes, I didn't actually click on it either but once I reloaded it was gone.
If this is true, it probably shouldn't be posted publicly... This is giving people who know how to exploit it an idea where to look and how to get in.
Indeed it’s a shame the Lemmy project gives no instructions for privately reporting security bugs. We could call that a bug in itself. And sadly Lemmy is not in the official Debian repos (if it were, ~~I think~~ Debian’s bug tracker has built-in support for reporting security bugs {reportbug …--security-team…}). They mirror to gitea instances but sadly they disabled the bug tracker in those more neutral venues (though it may not matter in this case since gitea seems to have no security bug reporting feature {“reported”, in a sense}).
update
I just realized I can DM them at their mastodon acct (which is tricky in Lemmy considering the UI does not support it -- yet another bug!), so I did so. So if they request I delete this thread I will.
Normally I'd agree that unauthenticated privilege escalation to administrator account is something that should only ever be reported privately, but this sounds more like a caching bug on the sopuli instance, in which case OP didn't actually have (theoretical) access to the cookie, although it may be something else. It also brings to attention the lack of published email and optional PGP for reporting. Though, that it was the admin account makes me wonder if the admin wasn't tinkering with something, causing this to happen for a split second.
@[email protected] I'm curious to hear the response from the admin, will you ping me if they don't mind you sharing their response?
The only interesting bit from the admin was to concur that the color theme I saw in fact matched their personal color theme. But I just put the admin in the loop here in case there is more to say.
At the time when I got the message, I wasn't doing any kind of tinkering with the instance.
I have seen a caching (I believe) issue on an nginx/Express service where the POST payload was valid but much larger than normally expected, and it returned all of the companies customer's orders in the queue instead of only ours. On refresh, it was fine. It never did get fixed as far as I know as they had trouble reproducing it even though I provided video and steps multiple times. I wasn't able to produce a PoC script because it was linked to the order/payment process, and wouldn't go through twice without payment. I don't know for sure it was a caching issue in the end, but the similarity should be noted.
To add to that, there was probably at most a few minutes gap between what I experienced and sending the message.
UPDATE: it just now happened again, but this time not with the admin account (@[email protected]) but with another user account. I was refreshing my profile and the user @[email protected] appeared in the profile pulldown position on the page with my profile. This time I had time to take a screenshot before it changed:
It’s interesting that it shows my profile page but not as I see it. That is, when I visit my own profile page I normally have a “subscribed” sidebar. This shows what someone else would see if they visit my profile while they are logged in, which still differs from what a logged out profile looks like (as send msg options were given). So I wonder if I could have sent myself a msg.
Without having looked at anything source related yet, it might be more likely that you got a splash of a template before it was bound to actual data. Often, there is still placeholder data in these. It doesn't make sense for you to get access for a flash only to have it removed in the same page load, most frontends aren't set up like that.
Again, just an educated guess though.
It’s an interesting theory. But would that placeholder data include the userID of the admin in the top right corner?
I didn't notice OP said it changed on the same page load, I thought they were F5ing their comments. That does make it more strange.