[#15395] - Able to upload images without login
- Closed
- 18 Apr 2017
- Critical
- Build: 3.6.5 Stable
- # 15395
To check which pages my visitors are visiting, I installed Piwik and sometimes I look there what is happening.
Now I have figured out that someone has tried to visit some protected pages without logging in, such as image upload page.
Steps to reproduce the issue
mysite.com/index.php?option=com_media&view=imagesList&tmpl=component&folder=&asset=com_content&author=
Expected result
404 Error page, saying that you have no access to this page
Actual result
You can upload images without login !!!
System information (as much as possible)
Datenbankversion: 5.6.35-log
PHP-Version: 7.0.16
Webserver: Apache/2.2.31 (Unix)
Joomla version: Joomla! 3.6.5 Stable
Joomla!-Plattform-Version: Joomla Platform 13.1.0 Stable
Additional comments
- All plugins are up to date.
- I'm using the T3 Framework from www.joomlart.com!
joomla-cms-bot
- 
Your site's ACL is misconfigured.
If i remember correctly this can only happen if you have changed the ACL permissions for the media manager from the default settings to allow a guest to upload images. This is not an issue with Joomla but with your specific web site
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-04-18 20:57:44 |
| Closed_By | ⇒ | brianteeman |
I can not confirm this (not tested with a t3 template)