Security Issues

Intex · July 18th, 2004, 09:24 AM

I've only just installed 4.8 so bear with me if these have been addressed. I have a number of password protected albums, however pictures in these albums are being displayed in the random images even when a user doesn't have rights to the album.

How do you stop this happening? I mean it seems pretty fundamental to me that if a user doesn't have a password for an album, they shouldn't see any of these photos and you shouldn't really have to do anything to stop it - it should be default - or am I missing something?

Michael P · July 18th, 2004, 10:10 AM

Can you provide a link to demonstrate this?

Intex · July 18th, 2004, 10:40 AM

The website is an internal intranet, so unfortunately I can't. I'm happy to send you any files though if that helps.

Intex · July 18th, 2004, 11:00 AM

In fact, it appears as though images in password protected forums which the users don't have access to are showing everywhere, i.e. Random Images, Most Popular Images etc. even though when the person goes to the member gallery containnig the images, he gets prompted for the password to enter.

By the way, they don't just see the thumbnail either, they can click on the image and see the larger version. Once they're there, they can browse all the images in that locked forum.

However I'm also getting strange results with the test user I've created. He can login to vB3 no problems. I think go to the gallery and everything shows up as expected (including the images that shouldn't), but now when I click on anything it comes up with a message saying you must be a registered user to view images.

This doesn't happen for my account (admin).

Michael P · July 18th, 2004, 11:06 AM

I cannot replicate your album problem and you also may have "require users to registered to view images" set to ON. Admin users can see any albums, even private (which means the images would appear in the featured photos as they do have permission).

Intex · July 19th, 2004, 08:53 AM

I've checked the usergroup permissions and they're definitely set correctly.

Chuck S · July 19th, 2004, 09:14 AM

I can not replicate this either. I mark a personal album private as in password protected. I upload a picture and it does not appear in random and recent. I have permission to view it if I go to my album of course but it does not display on the most recent which if I could replicate your problem it would.

Check your usergroup permissions

Check your category permissions

Double check your personal albums are private password protected

Intex · July 19th, 2004, 03:09 PM

OK, I've made some progress here into what might be going on:
[list=1][*]It appears as though the problem relates to the fact that although I logged in as a 'test' user, photopost is still using my admin account named 'Intex'. To get an idea of what I'm saying, take a look at the first screenshot attached. You can see from the picture that I'm logged on to vB as 'Test', yet when I select the 'Profile' link in PP, it shows the profile for 'Intex'. Seems to me that it must be picking this information up from someone, even though I've cleared the cookies when logging out as 'Intex' and logging back in as 'Test'.

This must be the case because you can also see that the photopost ADMIN link is on there and this person is not in the admin group.

This also explains why I could see private forums, i.e. I was actually logged on as an admin.
[*]If I use a completely different PC and login as 'Test' it shows the gallery as normal, but the user doesn't have a profile link. Although all of the thumbnails are shown, when you click on any of them you just get a message saying you must be a registered user to view images.[/ilst]

So, I think this is all related and something to do with cookies?

Note: I always go into the vB forum first when logging in and then go to the gallery. As also explained above, I always clear the cookies too. The category and usergroup permissions are set correctly.

Chuck S · July 19th, 2004, 03:19 PM

well that leads to a cookie issue difference between the two products

If you have a cookie on your computer when logging to photopost yet you logged into the forum with test you would see this kind of issue.

Check your cookie settings between both products

I suggest VB set to

cookie path /

cookie domain .domain.com

Photopost set to

cookie path /

cookie domain .domain.com

cookie prefix bb

vb license --- this must be entered in the photopost config for cookies to mesh

Michael P · July 19th, 2004, 03:56 PM

<rainman> Definately a cookie configuration issue. yep, definately a cookie configuration issue... </rainman>

Intex · July 19th, 2004, 04:16 PM

OK, I changed my settings:

The vB cookie path was already set to / but the cookie domain was blank. I've changed this to be the domain name, i.e. test.example.com.

I've then changed the PP config settings. The forum cookie prefix was blank and I changed this to bb. My vB license info was already defined. The cookie path was already / and I changed the cookie domain from being blank to test.example.com.

This certainly cures the problem with being logged onto vB with one user and it actually being logged in as another within photopost, however now when the test user logs on, it still says he's unregistered (see attachment).

Michael P · July 19th, 2004, 04:33 PM

I fyou read the vB3 integration FAQ stuck at the top, you might find that you should use different cookie settings.

Chuck S · July 19th, 2004, 06:12 PM

.example.com might be better.

Intex · July 20th, 2004, 01:29 PM

Michael_P - I'd ready this information from the outset and these were my original settings. These did not work.

Omegatron - I tried changing it as shown for my domain and it made no difference, the user is still unregistered and I've tried this with the same result from different PC's.

I really don't understand what's going on. Perhaps I need to give you more information. My directory hiearchy is as follows:

Code:

Content visible to verified customers only.

My domain name is subdomain.domain.biz

Photopost Settings

CONFIG.INC settings contains:

Forum Cookie Prefix: BB {should this be BB or should something be replacing this?}
Cookie Path: /
Cookie Domain: {blank}

vB Settings

Path to Save Cookies: /
Cookie Domain: {blank}

Chuck S · July 20th, 2004, 01:30 PM

Perhaps its best to just PM me a url and an admin login to your forum

Intex · July 20th, 2004, 01:38 PM

OK, I've PM'd you the info.

Chuck S · July 20th, 2004, 01:43 PM

Okay I am logged in fine when I view the gallery.

Photopost works with cookies. VB uses sessions or cookies. You need to select the remember me button when logging in so a cookie is created.

Intex · July 20th, 2004, 01:46 PM

LOL, well that will teach me for messing around with the code. I changed the default behaviour of the 'Remember Me' check box recently because it's a bit of a security breach, i.e. it's automatically ticked by default and people forget to logout.

I guess it didn't matter before as I wasn't using the gallery and had no effect with anything else.

Thx. for your help Omegatron

.