jedit-devel Mailing List for jEdit

- **status**: open-invalid --> closed-invalid
- **Comment**:

according to your report HTTP is 200 with modified or unmodified account id, but json is status: "ok" with unmodified and "error" with modified account id. So it doesn't look like the changed account id was accepted.
Again, it has nothing to do with jEdit. I'm closing the ticket now.



---

**[bugs:#4147] Found Vulnerability:- IDOR (Insecure Direct Object Reference)**

**Status:** closed-invalid
**Group:** UNUSED
**Labels:** IDOR (Insecure Direct Object Reference) 
**Created:** Thu Sep 11, 2025 08:58 PM UTC by kunal waidande 
**Last Updated:** Tue Sep 16, 2025 01:57 PM UTC
**Owner:** nobody
**Attachments:**

- [jedit.org report.pdf](https://sourceforge.net/p/jedit/bugs/4147/attachment/jedit.org%20report.pdf) (920.8 kB; application/pdf)


The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.


---

Sent from sourceforge.net because jed...@li... is subscribed to https://sourceforge.net/p/jedit/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/jedit/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

*Before re-testing it first Login your account  then only you will see response 200 ok:-

In 6th point after modifying the account id from request you will see that response is ok in repeater, it must not happen. If somone modify the account id it must show error code. I have also send the PDF report with POC.


---

**[bugs:#4147] Found Vulnerability:- IDOR (Insecure Direct Object Reference)**

**Status:** open-invalid
**Group:** UNUSED
**Labels:** IDOR (Insecure Direct Object Reference) 
**Created:** Thu Sep 11, 2025 08:58 PM UTC by kunal waidande 
**Last Updated:** Mon Sep 15, 2025 06:54 PM UTC
**Owner:** nobody
**Attachments:**

- [jedit.org report.pdf](https://sourceforge.net/p/jedit/bugs/4147/attachment/jedit.org%20report.pdf) (920.8 kB; application/pdf)


The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.


---

Sent from sourceforge.net because jed...@li... is subscribed to https://sourceforge.net/p/jedit/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/jedit/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

I see you already created https://sourceforge.net/p/forge/site-support/27035/


---

**[bugs:#4147] Found Vulnerability:- IDOR (Insecure Direct Object Reference)**

**Status:** open-invalid
**Group:** UNUSED
**Labels:** IDOR (Insecure Direct Object Reference) 
**Created:** Thu Sep 11, 2025 08:58 PM UTC by kunal waidande 
**Last Updated:** Mon Sep 15, 2025 06:53 PM UTC
**Owner:** nobody
**Attachments:**

- [jedit.org report.pdf](https://sourceforge.net/p/jedit/bugs/4147/attachment/jedit.org%20report.pdf) (920.8 kB; application/pdf)


The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.


---

Sent from sourceforge.net because jed...@li... is subscribed to https://sourceforge.net/p/jedit/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/jedit/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

- **Group**: severe bug --> UNUSED
- **Comment**:

please clarify exactly how  in step 6. it is a vulnerability since the response is an error. Anyway, please send the report to sourceforge.net, because on jedit.org it is just an image and a plain link to https://www.sourceforge.net/projects/jedit/.




---

**[bugs:#4147] Found Vulnerability:- IDOR (Insecure Direct Object Reference)**

**Status:** open-invalid
**Group:** UNUSED
**Labels:** IDOR (Insecure Direct Object Reference) 
**Created:** Thu Sep 11, 2025 08:58 PM UTC by kunal waidande 
**Last Updated:** Mon Sep 15, 2025 06:53 PM UTC
**Owner:** nobody
**Attachments:**

- [jedit.org report.pdf](https://sourceforge.net/p/jedit/bugs/4147/attachment/jedit.org%20report.pdf) (920.8 kB; application/pdf)


The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.


---

Sent from sourceforge.net because jed...@li... is subscribed to https://sourceforge.net/p/jedit/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/jedit/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

- **status**: open --> open-invalid
- **Comment**:

please clarify exactly how  in step 6. it is a vulnerability since the response is an error. Anyway, please send the report to sourceforge.net, because on jedit.org it is just an image and a plain link to https://www.sourceforge.net/projects/jedit/.




---

**[bugs:#4147] Found Vulnerability:- IDOR (Insecure Direct Object Reference)**

**Status:** open-invalid
**Group:** severe bug
**Labels:** IDOR (Insecure Direct Object Reference) 
**Created:** Thu Sep 11, 2025 08:58 PM UTC by kunal waidande 
**Last Updated:** Thu Sep 11, 2025 08:58 PM UTC
**Owner:** nobody
**Attachments:**

- [jedit.org report.pdf](https://sourceforge.net/p/jedit/bugs/4147/attachment/jedit.org%20report.pdf) (920.8 kB; application/pdf)


The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.


---

Sent from sourceforge.net because jed...@li... is subscribed to https://sourceforge.net/p/jedit/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/jedit/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

---

**[bugs:#4147] Found Vulnerability:- IDOR (Insecure Direct Object Reference)**

**Status:** open
**Group:** severe bug
**Labels:** IDOR (Insecure Direct Object Reference) 
**Created:** Thu Sep 11, 2025 08:58 PM UTC by kunal waidande 
**Last Updated:** Thu Sep 11, 2025 08:58 PM UTC
**Owner:** nobody
**Attachments:**

- [jedit.org report.pdf](https://sourceforge.net/p/jedit/bugs/4147/attachment/jedit.org%20report.pdf) (920.8 kB; application/pdf)


The following API endpoint allows an attacker to change account-id in the query string and receive a valid response tied to that account.

Vulnerable endpoint: GET /a/api/fastlane.json?account_id=15680&site_id=103240

How to perform:
1- Go to website (https://www.jedit.org)
2- In home page on right side you will see sourceForge Project option.
3- Open burpsuit and on the intercept and in browser click on sourceForge Project option.
4- Forward the first and second request and then you will see bunch of requests in that request.
5- You that requests you will see (https://fastlane.rubiconproject.com).
6- Send it to repeater and change the account id.
7- You will see that response is 200 OK .

Please find attached PDF report in that, I have created all the manually tested proof report.


---

Sent from sourceforge.net because jed...@li... is subscribed to https://sourceforge.net/p/jedit/bugs/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/jedit/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.