Subscribe Join 180,000+ subscribers and receive articles from our blog about software quality, testing, QA and security. Subscribe

[API] Users are able to access the attachments of hidden projects

Inputting a number at the end of the url brings up the associated attachment from a project which user has got no access to.
https://testrail.io/index.php?/attachments/get/
Inputting a number at the end of the url leads to the security flaw.
Is someone aware of the issue. How can this be disabled?

I am seeing the same issue. User is able to fetch a screenshot or attachment from a project by simply adding a random number in the url say: https://testrail.io/index.php?/attachments/get/1234.

I have multiple projects in my test rail having restricted permissions. This way any user having access to the TestRail can download/view restricted data.

Do we have any solutions here? @sjpknight

My team is facing same issue where you can just see/download a image or attachment form another project with no access by just changing a random number in URL.
This is a security concern for multiple projects in testrail.
Can we have some help here?

Hi all - we’ll look into this issue as a priority. Thanks for reporting it to us.

Simon.

Any updates on this ticket @sjpknight ? Thanks

@PinkToothbrush

Hi,

Our team is still working on its fix. We do not have any ETA for this right now.

However, please stay tuned for more updates on this issue !

Thanks,
Shanu