Serious Security Issue In PHPMyFAQ 1.4

Schmoe · Post by **Schmoe** » Tue Jul 27, 2004 4:36 am

Hi,
I've been using phpmyfaq through the last 4 versions and it's great. But, I've found a serious security issue in the wysiwyg image manager in the latest release. The image manager can be accessed by anyone on the web without logging in

All someone has to do to access the image manager is type the location into their browser:
[URL removed for security reasons - Thorsten]

This person can then upload any images they want to your site or DELETE all the images you've uploaded!

Is it possible to add some sort of authentication into the image upload plugin?

Post by **Thorsten** » Tue Jul 27, 2004 6:32 am

Hi,

I didn't test this and you're right. I'll fix this as soon as possible.

bye
Thorsten

Post by **Thorsten** » Tue Jul 27, 2004 7:08 am

Hi,

I fixed it now. It would have been better if you have sent this information via e-mail instead of posting it here.

bye
Thorsten

Schmoe · Post by **Schmoe** » Tue Jul 27, 2004 8:28 am

Thorsten,
I'm just getting a blank page with the new manager.php. Also, there's another very serious security issue that I sent you info on via email.

Thanks for all your great work!

Post by **Thorsten** » Tue Jul 27, 2004 8:52 am

Hi,

the second issue is fixed, too. I updated the files on the download page.

bye
Thorsten

Schmoe · Post by **Schmoe** » Tue Jul 27, 2004 10:26 am

Thanks again.

I'm still having the issue with a blank page/box instead of the image manager. I even cleared the browser cache just to make sure that I'm not getting the old version of image-manager.js, but the problem persists in both IE and Mozilla.

Post by **Thorsten** » Tue Jul 27, 2004 10:28 am

Hi,

is your FAQ online? Can I test it there?

bye
Thorsten

Chad Beattie · Post by **Chad Beattie** » Tue Jul 27, 2004 6:56 pm

I am also having this same problem. You can test it out here:

http://216.161.65.120/phpmyfaq/

I will PM you the admin login info too. At least in my case, when submitting a new content via the normal interface, I don't see the WYSIWYG but I do when using the admin interface. Is this normal? I have tried in both IE on Windows XP with Java installed and also Firefox version .9.2. Firefox seems to give me better results with this, but still only see the WYSIWYG editor in admin mode editing.

Thank you.

Post by **Thorsten** » Wed Jul 28, 2004 5:14 am

Hi,

you're right.

Can you add

Code: Select all

error_reporting(E_ALL);

in the first line of file manager.php after the <?php ?

bye
Thorsten

Schmoe · Post by **Schmoe** » Wed Jul 28, 2004 9:17 am

Thorsten wrote:Hi,
is your FAQ online? Can I test it there?

Unfortunately, the faq I am testing on is local

I turned on error reporting as instructed, but I am not getting any error results.

I tried both

Code: Select all

error_reporting(E_ALL);

and

Code: Select all

ini_set('error_reporting', E_ALL);

, but neither produced any results.

Post by **Thorsten** » Wed Jul 28, 2004 9:22 am

Hi,

no Java error and no JavaScript error. This is really strange. It works perfectly on my test systems.

I'll look for a solution.

bye
Thorsten

Schmoe · Post by **Schmoe** » Wed Jul 28, 2004 10:35 am

I do get one error if the session has expired:
Notice: Undefined variable: auth in /admin/editor/plugins/ImageManager/manager.php on line 49
You are not authorized.
...but maybe this is how the authentication is supposed to work?

Post by **Thorsten** » Wed Jul 28, 2004 10:48 am

Hi,

I think I found the bug. Look in the manager.php and images.php file for

Code: Select all

if ($_REQUEST["uin"]) {
	$uin = $_REQUEST["uin"];
	}

and replace it with:

Code: Select all

if ($_REQUEST["uin"]) {
	$uin = str_replace("uin=", "", $_REQUEST["uin"]);
    $uin = str_replace("&aktion=editentry", "", $uin);
	}

Please post, if this works.

bye
Thorsten

Schmoe · Post by **Schmoe** » Wed Jul 28, 2004 1:40 pm

Hi,
I made the replacements in both files, but unfortunately it didn't fix the problem.

Chad Beattie · Post by **Chad Beattie** » Wed Jul 28, 2004 1:40 pm

I added

Code: Select all

error_reporting(E_ALL);

to manager.php after the first <?php

Also, I made the changes for the possible bug fixes. My code in manager.php looks like this. I added the output for $_REQUEST just so I can see what the values are set to.

Code: Select all

/*if ($_REQUEST["uin"]) {
    $uin = $_REQUEST["uin"];
    }
    */
echo '<pre>';
print_r($_REQUEST);
echo '</pre>';
if ($_REQUEST["uin"]) {
    $uin = str_replace("uin=", "", $_REQUEST["uin"]);
    $uin = str_replace("&aktion=editentry", "", $uin);
    }

My code in images.php looks like this

Code: Select all

/*if ($_REQUEST["uin"]) {
    $uin = str_replace("uin=", "", $_REQUEST["uin"]);
    }
    */
if ($_REQUEST["uin"]) {
    $uin = str_replace("uin=", "", $_REQUEST["uin"]);
    $uin = str_replace("&aktion=editentry", "", $uin);
    }

With these changes I am still seeing the same problems. I will see if I can find anything as I have some time today to look at it a bit more.

Thanks