I thought more people should know about this after writing to DEVONtech last night and receiving no response yet:
First: If you have a DT3 web server running, where it is accessible to anyone else but you, STOP IT until this is fixed.
The issue: A user with limited access could gain full access to all databases on the system, even those which are not shared at all.
How to trigger it: I am not 100% certain on this, but basically you need to follow these steps:
- log in as any user
- leave the window open and do nothing
- wait a few hours (maybe change your IP with a VPN, not sure about this)
- return to the window and hit reload in the browser
The web server then lists all available databases, as if you are sitting in front of the computer, with full read/write/delete access as well.
I think this is a browser session problem. The browser should log you out after inactivity, but instead gives you admin access.
Tested on Safari running on Catalina.