Stop people hacking (via Firefox) a longer expiry date

[xluk]

At the moment, if you only want an ad to run for a maximum of 14 days, then you simply edit the template and remove all the other options. The problem is that Firefox comes with plugins, such as Web Developer Toolbar, which allow you to edit a drop down box, i.e. turn a drop down in to a free text box. On our installation of PP Classifieds I've added a routine to the php which hard codes acceptable expiry lengths so they can't be overridden. Can I suggest something like this is considered for the future? It just makes the software a little 'harder' and less prone to exploits. Thanks

PS. If anyone wants me to demonstrate how easy it is, or to demonstrate on their test installations, then just let me know.

[Chuck S]

I am not familiar with such firefox tools personally.

[xluk]

Right, but that doesn't make this not a good suggestion?

With all due respect I'm trying to help and every time I do it gets shot down in flames.

The Web Developer tool bar is very popular (and useful) extension:
Web Developer

Let me know your testing PP Classifieds installation and I'd be happy to demonstrate how easy it is to change the date.

As I say, I'm trying to help here Chuck

[xluk]

Hi Chuck, do you want to point me to your testing site so I can show you how easy this is?

To re-create, install Web Developer plugin for Firefox and then go Forms > Make Form Fields Writeable - this is something that can be exploited against any PP Classified installation as there's no double-checking.

[Chuck S]

Once we go back into a beta development period I will look at any suggestions.

[benFF]

This is working from 2.62 - so line numbers might have changed, however search the file UPLOADPRODUCT.PHP for a line which starts

Code:

Content visible to verified customers only.

And amend it to equal

Code:

Content visible to verified customers only.

Changing "30" to be equal to whatever you want the maximum to ever be.

[Chuck S]

All that does is tell the program if there is a duration greater than 30 dont use it. How about the 120 day options etc that all exist in the program.

[benFF]

From what I gathered from the OP's post, he has removed the other options from the template, so the only options a poster will ever be given is up to 14 days.

By using the above code (and changing 30 to 14) - no one should ever be able to post an ad for longer than 14 days, as it will set anything higher back to 14.

[Chuck S]

Yes I believe he has done something like this already he was commenting about a firefox web plugin that manipulates an html pages contents.

The problem is with that plugin your going to be able to manipulate really any html page content so its not really a bug at all. I can manipulate vbulletin really any program to add in other options using that plugin.

[benFF]

I know - I use the same FF plugin.

The point is though, even if someone does manipulate the form content to set a longer expiry date, that code above will check for this and set it back to the lower one

[Chuck S]

I know that I am just but its not a viable option in the normal program with the durations the normal program uses. If you have altered your program to use just one duration thats fine.

[xluk]

Hi Chuck, this really comes to the PHP rather than anything else. The PHP needs to be hardened to stop users being able to push in any value - which you can right now with PP Classifieds. Give me a URL where I can register and I can show you Makes more sense to fix the PHP to do a quick double check on acceptable values rather than leave this exploit wide open.

[Chuck S]

As stated changing how the duration is done is a major thing and I will look into it in the future when there is an open beta . It is only an html option box not database settings.

You can try something like this to set it to a default value if someone tries using that thing. This is the simplest thing. Create an array of acceptible values and then if its not in the array set it to a default.

Code:

Content visible to verified customers only.

[xluk]

Thanks for the suggestion Chuck and sorry for the delay in coming back to you. I'm glad that you'll consider making this an option (perhaps something that can be set in the database from the admin area?) and hopefully not too many people will exploit it in the meantime. This plugin is pretty popular and can even allow you to edit hidden fields!

[Chuck S]

Well I doubt I can come up with solutions for everything but the following above can check to ensure the duration is what is in the templates.

What I posted is already in the build