 | |  | | | ReviewPost Bug Reports Let us know about any post installation problems you are having with ReviewPost. | 
December 12th, 2006, 11:46 AM
|
#1 (permalink)
| | Member Verified Customer
Join Date: Oct 2006
Posts: 426
| Major Security Flaw!!!
Today one of my members pointed out a MAJOR security flaw in Review Post that will allow ANYONE to edit/delete an article belonging to anyone else!! OUCH! I will not post here how it was done, but I was VERY surprised that this wasn't ever reported and fixed previously as just about anyone could figure it out. I have sent the details to support@photopost.com and am awaiting a fix which hopefully will be distributed to everyone soon!  | 
|  | |
December 12th, 2006, 12:48 PM
|
#2 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 66,720
|
In editproduct.php please add the code in bold Code: Content visible to verified customers only.
| |
| | |
December 12th, 2006, 04:55 PM
|
#3 (permalink)
| | Member Verified Customer
Join Date: Jan 2002
Posts: 265
|
Chuck:
Could you post more details about what this is impacting?
Not asking about the exploit mechanism but what is it impacting?
For example is the issue that registered users can delete other registered user's products without said addition (or is anyone referring to guests as well)?
Does that apply if user's don't have the ability to edit/post products in the first place (only admin posting of products for example)?
Or does this apply to user reviews/comments as well?
Thanks!
| |
| | |
December 12th, 2006, 05:08 PM
|
#4 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 66,720
|
This does not apply if they do not have edit permissions
The issue is users can edit others products and the fix is posted above
| |
| | |
December 12th, 2006, 05:18 PM
|
#5 (permalink)
| | Member Verified Customer
Join Date: Jan 2002
Posts: 265
|
Chuck:
Thanks for the quick reply.
Just to make sure I'm reading you correctly, so in usergroup permissions if:
Allow edit own Products?
is set to no for registered users (and all other users except for the admin)
then no issue?
Also, 'Allow edit Reviews?' doesn't come into play in this instance so can be set to yes or no.
All correct?
Thanks!
| |
| | |
December 12th, 2006, 05:23 PM
|
#6 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 66,720
|
No reviews do not come into play here and yes if they can not edit they can not get in and should never see an edit link in the first place.
| |
| | |
December 12th, 2006, 05:25 PM
|
#7 (permalink)
| | Member Verified Customer
Join Date: Jan 2002
Posts: 265
|
Many thanks!
| |
| | |
December 12th, 2006, 07:10 PM
|
#8 (permalink)
| | Member
Join Date: Nov 2006 Location: Port Coquitlam, BC
Posts: 51
|
There is no editproduct.php in PhotoPost Pro. There is an editphoto.php, and the coding is a bit different but almost matches... is that the correct file, or are people using PhotoPost Pro unaffected?
| |
| | |
December 12th, 2006, 07:52 PM
|
#9 (permalink)
| | Photopost Developer Verified Customer
Join Date: Jun 2002 Location: Abingdon,MD
Posts: 66,720
|
This is a reviewpost issue not photopost  | |
| | |
December 12th, 2006, 10:59 PM
|
#10 (permalink)
| | Member
Join Date: Nov 2006 Location: Port Coquitlam, BC
Posts: 51
|
My apologies.
| |
| | |
December 14th, 2006, 12:48 PM
|
#11 (permalink)
| | Member Verified Customer
Join Date: Nov 2005
Posts: 116
| Quote:
Originally Posted by Chuck S  In editproduct.php please add the code in bold... | Opps! Never mind.
Last edited by CGMathis; December 14th, 2006 at 12:53 PM.
Reason: found answer.
| |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes | Rate This Thread |  Linear Mode | | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | | All times are GMT -5. The time now is 06:37 AM. | |
