diagnostics should only be accessible for logged-in users
Posted: 13 Nov 2022, 08:46
I've just found out by chance, that the diagnostics page can be accessed unauthorized, by everyone. This should only be possible when enabled in the config or the user is logged-in.
The page gives away info that should not be accessible for everyone.
Interestinly, your own page shows a slightly different page (with less info) than mine: https://www.mjau-mjau.com/?diagnostics=true
while mine also shows the PHP Version, extensions, open basedir etcetc, even though I have disabled the diagnostics entirely in the settings - therefore I would expect that they are never shown, especially not to unauthenticated users since they might contain sensitive information (noone is supposed to see my open basedir, php version or whatever).
Thanks
Matt
The page gives away info that should not be accessible for everyone.
Interestinly, your own page shows a slightly different page (with less info) than mine: https://www.mjau-mjau.com/?diagnostics=true
while mine also shows the PHP Version, extensions, open basedir etcetc, even though I have disabled the diagnostics entirely in the settings - therefore I would expect that they are never shown, especially not to unauthenticated users since they might contain sensitive information (noone is supposed to see my open basedir, php version or whatever).
Thanks
Matt