I can easily change the "uid" param in the URL below to some other users id. Don't get a display of his mylist, but i get his nickname. Could be that it's possible to start something with that information then.
http://anidb.ath.cx/perl-bin/animedb.pl ... &uid=38000
User-ID manipulation in URL possible,mightbe security breach
Moderator: AniDB
You can see his list, actually. It's just empty.
The username isn't worth much really, so unless you have a concrete idea where to use it in an attack, I don't see a problem in showing it.
Btw - that's no bug. Every user who wants to can decide to completely hide his list and stats in the profile. By default, only guest access is pretty limited while other members can read one's list. With permissions set properly, you can avoid having your list shown. Try this one:
http://anidb.ath.cx/perl-bin/animedb.pl ... ist&uid=64
You can navigate the userlist to see who may have a public mylist.
The username isn't worth much really, so unless you have a concrete idea where to use it in an attack, I don't see a problem in showing it.
Btw - that's no bug. Every user who wants to can decide to completely hide his list and stats in the profile. By default, only guest access is pretty limited while other members can read one's list. With permissions set properly, you can avoid having your list shown. Try this one:
http://anidb.ath.cx/perl-bin/animedb.pl ... ist&uid=64
You can navigate the userlist to see who may have a public mylist.
