Join 180,000+ subscribers and receive articles from
our blog about software quality, testing, QA and security.
Inputting a number at the end of the url brings up the associated attachment from a project which user has got no access to.
https://testrail.io/index.php?/attachments/get/
Inputting a number at the end of the url leads to the security flaw.
Is someone aware of the issue. How can this be disabled?
I am seeing the same issue. User is able to fetch a screenshot or attachment from a project by simply adding a random number in the url say: https://testrail.io/index.php?/attachments/get/1234.
I have multiple projects in my test rail having restricted permissions. This way any user having access to the TestRail can download/view restricted data.
Do we have any solutions here? @sjpknight
My team is facing same issue where you can just see/download a image or attachment form another project with no access by just changing a random number in URL.
This is a security concern for multiple projects in testrail.
Can we have some help here?
Hi all - we’ll look into this issue as a priority. Thanks for reporting it to us.
Simon.
Hi,
Our team is still working on its fix. We do not have any ETA for this right now.
However, please stay tuned for more updates on this issue !
Thanks,
Shanu