Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security issue with AjaxQuote

edited August 2008 in Vanilla 1.0 Help
AjaxQuote/ajax.php give the comment body without checking the permissions of the user on the comment.

Here is a fix:<?php include("../../appg/settings.php"); include("../../conf/settings.php"); include("../../appg/init_ajax.php"); if (!$CommentID = ForceIncomingInt('CommentID', 0)) echo 'ERROR'; else { $UserID = $Context->Session->UserID; $cm = $Context->ObjectFactory->NewContextObject($Context, 'CommentManager'); if(!$Comment = $cm->GetCommentById($CommentID, $UserID)) echo 'ERROR'; else { if(($Comment->WhisperUserID > 0 && $Comment->AuthUserID != $UserID && $Comment->WhisperUserID != $UserID && !$Context->Session->User->Permission('PERMISSION_VIEW_ALL_WHISPERS') ) || ($Comment->DiscussionWhisperUserID > 0 && $Comment->AuthUserID != $UserID && $Comment->DiscussionWhisperUserID != $UserID && !$Context->Session->User->Permission('PERMISSION_VIEW_ALL_WHISPERS') ) ) echo 'ERROR'; else echo $Comment->Body; } } $Context->Unload(); ?>

Comments

  • I used this patch and everything still works for me. I can't code PHP, so I'll take your wrd that it fixes something that's broken :D
  • Does this need adding to the extension? Or would a link to this thread in the description be appropriate?
  • edited October 2007
    @Stach: With the original AjaxQuote/ajax.php, you can access comments whatever you have permission to read them or not, like whisper or deleted comments or comment from a category you don't have access to. This modification just check that you have the permission to read the comment that you request. @Minisweeper: I tried to contact Scip about it 3 weeks ago, without success. Mark tried as well. I guess you can put it in the extension if you think it is necessary.
  • Please do Mini. I think there should be a 1 week response rule for security issues, and a 2 week rule for others...
    i.e. no reaction in one/two weeks and we edit it for you. :-)

    Original owner gets sent an updated version of his/her code for future maintenance if so desired.
    (of course not just everyone can modify, Mini/Mark makes sense to me)
  • It seems the permissions system on the addons site isnt working. I'll get mark to take a look at it...
  • I've been having a problem with this extension and the vanilla green style. If you attempt to quote a comment on the first page of a multiple page discussion, it will not re-direct to the comment box page (last page of discussion). I'm thinking that there might be a conflict with the friendly URLs extension that's enabled, but I'm not sure. Any help would be appreciated.
  • found that this problem was due to friendly urls and the associated .htaccess rules. fixed it.
  • What was your fix?
  • Indeed, we all need to know if there's a bug!
  • MarkMark Vanilla Staff
    Bump - has this been updated?
  • edited October 2007
    no, it's still the old version on the add-on repertory.
  • Thanks for the fix I'm testing AjaxQuote out over the other Quotations extension. I appreciate the developers' and greater community's efforts! Thank ya!
  • What fix? Do you have xur's fix? If so can you please share it with the rest of us?
This discussion has been closed.