[geeklog-devel] Minor(?) Security Issue

Dirk Haun dirk at haun-online.de
Sat Dec 28 18:07:52 EST 2002


Okay, the following security issue was brought to my attention:

Any StoryAdmin can change _any_ story on a site, even if s/he only has
read access to the story. What they need to do is make a copy of the
Admin's story submission form and add the sid (story id) of the story
they want to change. With an input field like <input type="text"
name="sid" value=""> they could even do this comfortably ...

I have been able to reproduce the problem, but haven't looked at the code yet.

To quote Kobaz (the guy who found this), from IRC:

> in function submitstory in admin/story.php
[...]
> anyways, if you take a peak
> at that function
> there is no permission checking at all
> that function is where permission checking is most important
> if you shove a SEC_hasAccess in there
> that will seriously reduce the potential to exploit
> there still is other issues besids that
> any user can change the group ownership to be any group
> well, not any user
> any storyadmin
[...]
> i just wanted to bring it to you guys attention
> so theres a few things it shoulc check for, number one if you have write
> access, number two, make sure the user is changing the group to a group he
> is a member of
> and if the user isnt the owner, he shouldnt be able to change owner
> permissions either

While this problem won't affect most of our hobbyist users, it may have
some more severe consequences in corporate use (e.g. when the StoryAdmin
for sales can change stories available only to management).

Incidentally, this may be a good time for an 1.3.7sr1 release. We could
include updated documentation with the new geeklog.net URLs and we could
also fix one or two of the other 1.3.7 issues. Specifically, I'm thinking
about adding a config option for the daily digest (i.e. to let the site
owner choose what the default is - new users will get the digest
automatically or not). Also, the redirect in index.php seems to cause
problems on some setups.

bye, Dirk


-- 
http://www.haun-online.de/
http://geeklog.info/




More information about the geeklog-devel mailing list