WeChall Critical Information Disclosure

I am sad to announce i fixed a very bad information disclosure vulnerability on wechall yesterday.

http://trac.gwf3.gizmore.org/changeset/2581

It was possible to enumerate the users emails via the wechall userstats api.

you could simply run wechall.net/api/somepath/?username=quangntenemy to get his email.

This was reported by dloser and got fixed a few minutes after the report.

It is hard to tell if somebody collected all user emails this way.
But there is a way:
I always wanted to make a function in Module_Log to grep the zip logfile bundles.
Maybe someone would like to write code for gwf3 to analyze logzips? (grep them?)
I won´t find time any soon to implement it.
I can provide sample logfiles from my localhost dev machine.

Happy Challenging!
gizmore

PS: Consider your emails to register here stolen and raped! (j/k)

PPS: Does someone use a unique email here? Do you get any spam?

So that's the reason why I'm getting a lot more v14gr4 ads these days

quangntenemy, If your email you use here is not unique, i doubt this issue is the cause.

It would be great if a user with a unique mail / special wechall mail could report something happened / did probably not happen.

Some people use a different mail for each site they register, like wechall@mycatch.all - It´s a fun trick to see which sites are rooted / owned / evil.

I use a mostly unique email address on Wechall (I say "mostly" because I use it on a few of the challenge sites as well), and haven't gotten any spam on that address.

On the other hand I have only been registered here since Aug 2013.