Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security issue with AjaxQuote

DinoboffDinoboff
edited August 2008 in Vanilla 1.0 Help
AjaxQuote/ajax.php give the comment body without checking the permissions of the user on the comment.

Here is a fix:<?php include("../../appg/settings.php"); include("../../conf/settings.php"); include("../../appg/init_ajax.php"); if (!$CommentID = ForceIncomingInt('CommentID', 0)) echo 'ERROR'; else { $UserID = $Context->Session->UserID; $cm = $Context->ObjectFactory->NewContextObject($Context, 'CommentManager'); if(!$Comment = $cm->GetCommentById($CommentID, $UserID)) echo 'ERROR'; else { if(($Comment->WhisperUserID > 0 && $Comment->AuthUserID != $UserID && $Comment->WhisperUserID != $UserID && !$Context->Session->User->Permission('PERMISSION_VIEW_ALL_WHISPERS') ) || ($Comment->DiscussionWhisperUserID > 0 && $Comment->AuthUserID != $UserID && $Comment->DiscussionWhisperUserID != $UserID && !$Context->Session->User->Permission('PERMISSION_VIEW_ALL_WHISPERS') ) ) echo 'ERROR'; else echo $Comment->Body; } } $Context->Unload(); ?>

Comments

  • StashStash
    I used this patch and everything still works for me. I can't code PHP, so I'll take your wrd that it fixes something that's broken :D
  • MinisweeperMinisweeper New
    Does this need adding to the extension? Or would a link to this thread in the description be appropriate?
  • DinoboffDinoboff
    edited October 2007
    @Stach: With the original AjaxQuote/ajax.php, you can access comments whatever you have permission to read them or not, like whisper or deleted comments or comment from a category you don't have access to. This modification just check that you have the permission to read the comment that you request. @Minisweeper: I tried to contact Scip about it 3 weeks ago, without success. Mark tried as well. I guess you can put it in the extension if you think it is necessary.
  • TomTesterTomTester New
    Please do Mini. I think there should be a 1 week response rule for security issues, and a 2 week rule for others...
    i.e. no reaction in one/two weeks and we edit it for you. :-)

    Original owner gets sent an updated version of his/her code for future maintenance if so desired.
    (of course not just everyone can modify, Mini/Mark makes sense to me)
  • MinisweeperMinisweeper New
    It seems the permissions system on the addons site isnt working. I'll get mark to take a look at it...
  • xurxur
    I've been having a problem with this extension and the vanilla green style. If you attempt to quote a comment on the first page of a multiple page discussion, it will not re-direct to the comment box page (last page of discussion). I'm thinking that there might be a conflict with the friendly URLs extension that's enabled, but I'm not sure. Any help would be appreciated.
  • xurxur
    found that this problem was due to friendly urls and the associated .htaccess rules. fixed it.
  • MinisweeperMinisweeper New
    What was your fix?
  • StashStash
    Indeed, we all need to know if there's a bug!
  • MarkMark Vanilla Staff
    Bump - has this been updated?
  • DinoboffDinoboff
    edited October 2007
    no, it's still the old version on the add-on repertory.
  • XKXK New
    Thanks for the fix I'm testing AjaxQuote out over the other Quotations extension. I appreciate the developers' and greater community's efforts! Thank ya!
  • StashStash
    What fix? Do you have xur's fix? If so can you please share it with the rest of us?
This discussion has been closed.