Read-only users can post replies (permission overflow)

Read-only users can post replies (permission overflow)

Rootali	#1 2026-06-26 07:42
Members Thanked: 13 kez	Actual vulnerabilities (not unauthorized, but significant) 1. Read-only users can post replies (permission overflow) `newpost` only checks read permissions; there are no write permissions: forum.post.php; `cot_block(Cot::$usr['auth_read']); if ($a == 'newpost' && !empty($s) && !empty($q)) {` The `auth_write` permission exists on the `newtopic` endpoint but not on the `newpost` endpoint. Result: A user with only read (R) permission can bypass the interface and send a new reply directly via a POST request. This is not an edit or delete vulnerability, but a write permission overflow. my blog: https://rootali.net

Rootali

#1 2026-06-26 07:42

Members

Thanked:
13 kez

Actual vulnerabilities (not unauthorized, but significant)

1. Read-only users can post replies (permission overflow)

`newpost` only checks read permissions; there are no write permissions:

forum.post.php;

cot_block(Cot::$usr['auth_read']);
if ($a == 'newpost' && !empty($s) && !empty($q)) {

The `auth_write` permission exists on the `newtopic` endpoint but not on the `newpost` endpoint.

Result: A user with only read (R) permission can bypass the interface and send a new reply directly via a POST request. This is not an edit or delete vulnerability, but a write permission overflow.

my blog: https://rootali.net