Previous Thread
Next Thread
Print Thread
Hop To
#224957 03/27/2009 5:09 PM
Joined: Aug 2006
Posts: 1,358
Y
Veteran
Veteran
Y Offline
Joined: Aug 2006
Posts: 1,358
In /scripts/profile_comment.inc.php is no security if comments are actually allowed.


[Linked Image from siemons.org]
Joined: Dec 2003
Posts: 6,560
Likes: 78
Joined: Dec 2003
Posts: 6,560
Likes: 78
Yarp,
Just curious.
Could you expand on no security?


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Aug 2006
Posts: 1,358
Y
Veteran
Veteran
Y Offline
Joined: Aug 2006
Posts: 1,358
Basicly, if you submit a form to that script, it gets processed. Whether the user has enough posts or not, or whether the feature is on or not.

It does require the submitter to be logged in.


[Linked Image from siemons.org]
Joined: Mar 2008
Posts: 326
D
Enthusiast
Enthusiast
D Offline
Joined: Mar 2008
Posts: 326
Just throw one of these puppies into the script...

[Linked Image]

Security problem solved.

Joined: Jun 2006
Posts: 391
addict
addict
Joined: Jun 2006
Posts: 391
Originally Posted by DLWebmaestro
Just throw one of these puppies into the script...

[Linked Image]

Security problem solved.

Works for me!!!! grin


Greg AKA Virgil Earp at the OK Corral
Tombstone, AZ
Joined: Aug 2006
Posts: 1,358
Y
Veteran
Veteran
Y Offline
Joined: Aug 2006
Posts: 1,358
More bugs found in there.

The scripts that actually modify/delete the comments has code in there to allow admins to edit/delete.
/scripts/showprofile.inc.php however does not show the editlink.

Changed this line:
Code
			if ($c_uid == $user['USER_ID']) {

Code
			if ($c_uid == $user['USER_ID'] || $user['USER_MEMBERSHIP_LEVEL'] == "Administrator") {

Though I would prefer something new or existing from the permission matrix.

Another more severe buglet is also present. The final modify script has no code to disallow an edit by the current profile owner. It just checks if you can "edit or delete", and if you are allowed either, it allows both.

So a profile owner can change the words in a comment.

Dirty Fix: (don't have time now to rebuild the if statement that should check)

find:
Code
		$query = "
			update {$config['TABLE_PREFIX']}PROFILE_COMMENTS
			set COMMENT_BODY = ?,
			COMMENT_DEFAULT_BODY = ?
			where COMMENT_ID = ?
		";
		$dbh -> do_placeholder_query($query,array($Body,$DefaultBody,$id),__LINE__,__FILE__);

Add before:

Code
		if ($poster == $user['USER_ID']) {		
			$html->not_right($ubbt_lang['NO_EDIT']);		
}


Final buglet:
/scripts/showprofile.inc.php does not allow you to post comments on your own profile.
/scripts/profile_comment.inc.php does allow that.


[Linked Image from siemons.org]
Joined: Jul 2006
Posts: 4,057
Joined: Jul 2006
Posts: 4,057
Bring on 7.5.3

Good catches smile

7.5.2 is too buggy for me to upgrade now IMO


BOOM !! Version v7.6.1.1
People who inspire me Isaac ME Gizmo

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
3 members (rootman, Gizmo, Nightcrawler), 562 guests, and 186 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)