Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if the User is authorized to see the Host associated with the Report. In case it's not, it returns 404, as to not give hints whether a Report ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not vulnerable due to using my_reports which performs the necessary check on 'view_hosts' permission.
(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)
Related issues
Bug #11579: CVE-2015-5233 - reports show/destroy not restricted by host authorization
Added by Daniel Lobato Garcia over 8 years ago
Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.
(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)