#9 [1.4.3] Guests can View Torrent Details on Private Tracker

closed
Lupin
5
2012-09-17
2007-07-05
stunna
No

testing & verified bug on BTIT 1.4.3
(not tested on BTIT 1.4.4)

if the tracker is private & torrent viewing is off for guests they may still view the details of any torrent if the full URL is known.

i.e.

http://domain.tld/details.php?id=info_hash

example:
http://domain.tld/details.php?id=2ca592fa8XXXXXXXXed526c27

FIX:

find in details.php:

dbconn();

add after:

global $CURUSER;
if (!$CURUSER || $CURUSER["view_torrents"]=="no")
{
standardheader("Access Denied");
block_begin("Access Denied");
err_msg(ERROR,"You do not have permission to access this page");
block_end();
stdfoot();
exit();
}
else
{

find:

stdfoot(($GLOBALS["usepopup"]?false:true),false);

add after:

}

Discussion

  • Lupin
    Lupin
    2007-07-05

    Logged In: YES
    user_id=1294231
    Originator: NO

    official fix is little different ;)
    svn updated...