PDA

View Full Version : [5.02] Security Related Question


WB
March 22nd, 2005, 03:58 PM
For Michael P:

We recently upgraded to 5.02.

When we ran across:

http://secunia.com/advisories/14576/

we didn't pay it much mind as those issues appear to be fixed based on the release notes for 5.01 and/or 5.02.

Number 2 in the list however, appears to still be an issue on our site.

The release notes have:

misc.php
added a user check to only allow registered users to submit a report photo

for 5.01 but that doesn't appear to be the case for 5.02. Using the example provided, I can still generate emails without being authenticated.

Not really a big issue per se about the email but it does raise the question about the aforementioned holes and whether or not 5.02 may have inadvertently reintroduced some of them.

Question:

Can you confirm that the issues 1 - 5 mentioned on Secunia have been dealt with as of 5.02?

Thanks.

Michael P
March 22nd, 2005, 04:57 PM
Not all of the issues in that advisory are valid issues; but all that were are addressed with the 5.02 release. If you look at the misc.php file, the lines 250-252 look for a userid that is non-zero before allowing any emails to be sent.

WB
March 22nd, 2005, 05:01 PM
Michael:

Thanks.

Not following about the userid check though.

As I understand it, it should disallow the emails being sent if the user is not registered but when I go to our test install and enter the URL mentioned at Secunia, an email gets sent (with no login on my part).

If registered users are the only ones that can submit a report photo, not quite following why the URL works when the user is not logged in.

Thanks.

Michael P
March 22nd, 2005, 05:13 PM
If you have the lines:

if ( empty($User['userid']) ) {
diewell( $Globals['pp_lang']['noreg'] );
}

in misc.php at lines 250ish, then it should be dying with a report of not logged in.

Just like if you click this link:

http://www.viperalley.com/gallery/misc.php?action=reportphoto&report=19514

WB
March 22nd, 2005, 06:20 PM
Michael:

Thanks.

The link provided works as expected and I get the same result in our test install.

I was taking the Secunia post more literally though in my test.

For example, if I try:

http://www.viperalley.com/gallery/misc.php?action=reportpost&report=1&final=1

I get a note following that the report has been sent to the admin, same as I get on our site.

Shouldn't the report not go through with no email to the admin since the user isn't logged in?

Thanks.

Michael P
March 22nd, 2005, 08:58 PM
Ah, my bad. I was looking at the wrong "report". As I indicated when I was contacted about this issue, this is not a "bug". It has been this way since the very early versions of PhotoPost and we have never had a complaint about how it was implemented. That's not to say we can't change that (and we have), but that doesn't mean its a "security bug".

In misc.php at line 294, you can add the code in bold:

authenticate();

if (empty($User['userid'])) {
diewell( $Globals['pp_lang']['noreg'] );
}

WB
March 23rd, 2005, 01:26 PM
Michael:

Great, thanks for the explanation and the code addition.