Group funds search member API allows for URL traversal


This seems like unintended behavior.

All of the group APIs I have found use a ?username=[thename] parameter which will not allow a traversal to occur.

The group funds member search API however uses a different format (as shown here):

This allows for URL traversals to occur (you can move up the web directory using …/…/) - this is causing the client side JSON parser to spit out an error since It’s requesting a page that is not returning JSON.

You can see the bug in action here:


This topic was automatically closed after 1 minute. New replies are no longer allowed.



Just tried and I could reproduce this.