Group funds search member API allows for URL traversal


#1

This seems like unintended behavior.

All of the group APIs I have found use a ?username=[thename] parameter which will not allow a traversal to occur.

The group funds member search API however uses a different format (as shown here):
https://www.roblox.com/groups/2741434/search-members/test

This allows for URL traversals to occur (you can move up the web directory using …/…/) - this is causing the client side JSON parser to spit out an error since It’s requesting a page that is not returning JSON.

You can see the bug in action here:


#2

This topic was automatically closed after 1 minute. New replies are no longer allowed.


#3

#4

Just tried and I could reproduce this.