PhotoPost Photo Gallery Sales PhotoPost Sales Toll Free Phone Number
Mon-Fri 9am-4pm EST
  PhotoPost Photo Sharing Photo Gallery    Visualize community tm
| | | | | | | | |

Go Back   PhotoPost Community > General Forums > General Discussion

General Discussion General use discussion forum for PhotoPost products.

Reply
 
Thread Tools Rate Thread Display Modes
Old March 22nd, 2005, 02:58 PM   #1
WB
Member
Verified Customer
 
Join Date: Jan 2002
Posts: 265
[5.02] Security Related Question

For Michael P:

We recently upgraded to 5.02.

When we ran across:

http://secunia.com/advisories/14576/

we didn't pay it much mind as those issues appear to be fixed based on the release notes for 5.01 and/or 5.02.

Number 2 in the list however, appears to still be an issue on our site.

The release notes have:

misc.php
added a user check to only allow registered users to submit a report photo

for 5.01 but that doesn't appear to be the case for 5.02. Using the example provided, I can still generate emails without being authenticated.

Not really a big issue per se about the email but it does raise the question about the aforementioned holes and whether or not 5.02 may have inadvertently reintroduced some of them.

Question:

Can you confirm that the issues 1 - 5 mentioned on Secunia have been dealt with as of 5.02?

Thanks.
WB is offline   Reply With Quote
Old March 22nd, 2005, 03:57 PM   #2
Michael P
PhotoPost Developer
Verified Customer
 
Join Date: Jan 2002
Posts: 11,833
Not all of the issues in that advisory are valid issues; but all that were are addressed with the 5.02 release. If you look at the misc.php file, the lines 250-252 look for a userid that is non-zero before allowing any emails to be sent.
__________________
Please do not PM me for support or sales questions. Thank you for your understanding.
Michael P is offline   Reply With Quote
Old March 22nd, 2005, 04:01 PM   #3
WB
Member
Verified Customer
 
Join Date: Jan 2002
Posts: 265
Michael:

Thanks.

Not following about the userid check though.

As I understand it, it should disallow the emails being sent if the user is not registered but when I go to our test install and enter the URL mentioned at Secunia, an email gets sent (with no login on my part).

If registered users are the only ones that can submit a report photo, not quite following why the URL works when the user is not logged in.

Thanks.
WB is offline   Reply With Quote
Old March 22nd, 2005, 04:13 PM   #4
Michael P
PhotoPost Developer
Verified Customer
 
Join Date: Jan 2002
Posts: 11,833
If you have the lines:

Code:
Content visible to verified customers only.
in misc.php at lines 250ish, then it should be dying with a report of not logged in.

Just like if you click this link:

http://www.viperalley.com/gallery/mi...o&report=19514
__________________
Please do not PM me for support or sales questions. Thank you for your understanding.
Michael P is offline   Reply With Quote
Old March 22nd, 2005, 05:20 PM   #5
WB
Member
Verified Customer
 
Join Date: Jan 2002
Posts: 265
Michael:

Thanks.

The link provided works as expected and I get the same result in our test install.

I was taking the Secunia post more literally though in my test.

For example, if I try:

http://www.viperalley.com/gallery/mi...port=1&final=1

I get a note following that the report has been sent to the admin, same as I get on our site.

Shouldn't the report not go through with no email to the admin since the user isn't logged in?

Thanks.
WB is offline   Reply With Quote
Old March 22nd, 2005, 07:58 PM   #6
Michael P
PhotoPost Developer
Verified Customer
 
Join Date: Jan 2002
Posts: 11,833
Ah, my bad. I was looking at the wrong "report". As I indicated when I was contacted about this issue, this is not a "bug". It has been this way since the very early versions of PhotoPost and we have never had a complaint about how it was implemented. That's not to say we can't change that (and we have), but that doesn't mean its a "security bug".

In misc.php at line 294, you can add the code in bold:

Code:
Content visible to verified customers only.
__________________
Please do not PM me for support or sales questions. Thank you for your understanding.
Michael P is offline   Reply With Quote
Old March 23rd, 2005, 12:26 PM   #7
WB
Member
Verified Customer
 
Join Date: Jan 2002
Posts: 265
Michael:

Great, thanks for the explanation and the code addition.
WB is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Announcement: PhotoPost Immune from EXIF PHP Security Flaw Michael P General Discussion 0 December 22nd, 2004 08:10 AM


All times are GMT -5. The time now is 11:16 PM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.