Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter
Sign In Apply for Membership

Categories

In this Discussion

Who's Online 16

6apxatHotBlackericgilletteestlf349141590tc74422 +9 guests

Security issue with AjaxQuote

DinoboffDinoboff
in Questions
AjaxQuote/ajax.php give the comment body without checking the permissions of the user on the comment.

Here is a fix:<?php

include("../../appg/settings.php");
include("../../conf/settings.php");
include("../../appg/init_ajax.php");

if (!$CommentID = ForceIncomingInt('CommentID', 0)) echo 'ERROR';
else {

$UserID = $Context->Session->UserID;

$cm = $Context->ObjectFactory->NewContextObject($Context, 'CommentManager');
if(!$Comment = $cm->GetCommentById($CommentID, $UserID)) echo 'ERROR';
else {
if(($Comment->WhisperUserID > 0 &&
$Comment->AuthUserID != $UserID && $Comment->WhisperUserID != $UserID &&
!$Context->Session->User->Permission('PERMISSION_VIEW_ALL_WHISPERS')
) ||
($Comment->DiscussionWhisperUserID > 0 &&
$Comment->AuthUserID != $UserID && $Comment->DiscussionWhisperUserID != $UserID &&
!$Context->Session->User->Permission('PERMISSION_VIEW_ALL_WHISPERS')
) ) echo 'ERROR';
else echo $Comment->Body;
}
}

$Context->Unload();

?>

Comments

  • [-Stash-][-Stash-]
    Posts: 2,610
    I used this patch and everything still works for me. I can't code PHP, so I'll take your wrd that it fixes something that's broken :D
  • MinisweeperMinisweeper
    Posts: 5,574
    Does this need adding to the extension? Or would a link to this thread in the description be appropriate?
  • DinoboffDinoboff
    Posts: 1,880
    @Stach: With the original AjaxQuote/ajax.php, you can access comments whatever you have permission to read them or not, like whisper or deleted comments or comment from a category you don't have access to. This modification just check that you have the permission to read the comment that you request. @Minisweeper: I tried to contact Scip about it 3 weeks ago, without success. Mark tried as well. I guess you can put it in the extension if you think it is necessary.
  • TomTesterTomTester
    Posts: 669
    Please do Mini. I think there should be a 1 week response rule for security issues, and a 2 week rule for others...
    i.e. no reaction in one/two weeks and we edit it for you. :-)

    Original owner gets sent an updated version of his/her code for future maintenance if so desired.
    (of course not just everyone can modify, Mini/Mark makes sense to me)
  • MinisweeperMinisweeper
    Posts: 5,574
    It seems the permissions system on the addons site isnt working. I'll get mark to take a look at it...
  • xurxur
    Posts: 15
    I've been having a problem with this extension and the vanilla green style. If you attempt to quote a comment on the first page of a multiple page discussion, it will not re-direct to the comment box page (last page of discussion). I'm thinking that there might be a conflict with the friendly URLs extension that's enabled, but I'm not sure. Any help would be appreciated.
  • xurxur
    Posts: 15
    found that this problem was due to friendly urls and the associated .htaccess rules. fixed it.
  • MinisweeperMinisweeper
    Posts: 5,574
    What was your fix?
  • [-Stash-][-Stash-]
    Posts: 2,610
    Indeed, we all need to know if there's a bug!
  • MarkMark
    Posts: 4,883
    Bump - has this been updated?
  • DinoboffDinoboff
    Posts: 1,880
    no, it's still the old version on the add-on repertory.
  • XKXK
    Posts: 35
    Thanks for the fix I'm testing AjaxQuote out over the other Quotations extension. I appreciate the developers' and greater community's efforts! Thank ya!
  • [-Stash-][-Stash-]
    Posts: 2,610
    What fix? Do you have xur's fix? If so can you please share it with the rest of us?
This discussion has been closed.