Contribute  :  Support  :  Downloads  :  Forum  :  Links  :  Polls  :  Calendar  :  Directory  :  Advanced Search  
Geeklog The Ultimate Weblog System

advanced search 

Resources

Getting started
Support
Development

Sections

Home
Geeklog (190)
Geeklog 2 (28)
Announcements (201)
Summer of Code (8)
Security (55)
Plugins (50)
Server (26)
Spam (10)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days


LINKS last 2 weeks

No recent new links

Older Stories

Monday 17-Mar


Tuesday 08-Jan


Saturday 29-Dec


Tuesday 04-Dec


Sunday 04-Nov
Welcome to Geeklog
Thursday, May 15 2008 @ 11:15 PM EDT
   

Potential Security Flaw

Monday, May 12 2003 @ 10:50 PM EDT
Contributed by: andyofne
Views: 2,894
SecurityA friend of mine signed up and I forgot to assign him to a private group I created called "friends" on my geeklog.

He wanted to view the hidden stories but he couldn't... he found a way to get to the security settings by clicking on the "mail story" button.

Well this confused me because he wasn't supposed to be able to see the story anyway to mail it.

I had only checked the site as an anonymous user and it's true that when I was anonymous I couldn't see the topic listed in the "sections" list nor could I see the story listed on the front page.

Yet when I created a simple user account I could suddenly read the lead section of the story and have access to e-mail the entire story to myself. If I click on the "read more" link I am told that I am not a member of the site, although technically I am a member since I created an account.

Sort of nit picky on that part but the security flaw is sort of an issue.

I think what may be happening, and I can't come up with a reason why it would happen, is that the story is being saved with the "member" box checked (even though I know I physically deselected the box when I submitted the story).

I've had to go back and remove the check from the "members" box to hide the story from regular members.

When I look at the settings for the "topic" called "friends" it shows that only "group" members can get in to it, indeed, it doesn't show up as a topic under "sections" for a regular logged in user.

Is anyone following this? LOL

Thanks!

 

What's Related

Story Options

Potential Security Flaw | 10 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Potential Security Flaw
Authored by: Dirk on Thursday, May 15 2003 @ 10:59 AM EDT

Well, I had to read it twice ;-) but then I was able to reproduce it.

Yes, this is a bug. The topic permissions should work similar to the the folder permissions on a file system: If you don't have access to the folder (topic) you shouldn't be able to see the files (stories) in it. As you saw, article.php implements this correctly, but index.php doesn't.

A replacement for index.php is now available from the Downloads section. It fixes this problem as well as two other minor issues (not security related: the number of pages on the "Google paging" was wrong under certain conditions and some right blocks didn't show up for an empty topic).

Simply copy the new index.php over the one on your website and all should be well again.

Thanks for bringing this to our attention!

bye, Dirk

Potential Security Flaw
Authored by: Anonymous on Thursday, May 15 2003 @ 03:15 PM EDT
Will this be in the daily tar?

I assume, yes.
Potential Security Flaw
Authored by: Dirk on Thursday, May 15 2003 @ 05:19 PM EDT
Your assumption is correct ;-)

The implementation in CVS differs slightly (and you can't use that file for a 1.3.7sr1 installation), but it solves the same problem(s).

bye, Dirk
Potential Security Flaw
Authored by: rawdata on Thursday, May 15 2003 @ 05:26 PM EDT
What daily tar?
Potential Security Flaw
Authored by: chief123 on Thursday, May 15 2003 @ 07:12 PM EDT
So I guess this means the menu plugin won't work anymore since it replaces index.php.

Any workarounds for the menu plugin now?

Thanks.
Potential Security Flaw
Authored by: Anonymous on Thursday, May 15 2003 @ 07:45 PM EDT
Yes this interests me as well. Love GeekLog
Potential Security Flaw
Authored by: DTrumbower on Thursday, May 15 2003 @ 11:17 PM EDT
I don't know the particulars but you could look at the cvs changes.

http://cvs.geeklog.net/chora/cvs.php/geeklog-1.3/public_html/index.php?onb=1.40.2&Horde=6603ca29eb1429e0c65fbd9d7e5c4960

or see if Dirk can respond.
Potential Security Flaw
Authored by: vbgunz on Friday, May 16 2003 @ 01:57 PM EDT
My Menu plugin seems to work fine... What is the problem the new index causes to the menu plugin? I replaced the index.php direct within public_html/index.php... Is this the file I am suppose to replace?

I do not see anything wrong with the Menu plugin so far... Please help :)

---
Victor B. Gonzalez
Potential Security Flaw
Authored by: DTrumbower on Thursday, May 15 2003 @ 11:01 PM EDT
This daily tar.

http://www.geeklog.net/staticpages/index.php?page=20030212131112900
Potential Security Flaw
Authored by: rawdata on Saturday, May 17 2003 @ 12:59 PM EDT
Thanks much.
© 2002-2008 Geeklog
Created this page in 0.39 seconds		 Powered By Geeklog 1.4.1 
Hosted by pair.com