search for nothing and get everything search for nothing and get everything
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

search for nothing and get everything

Started by diverdan, October 03, 2006, 04:27:33 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

diverdan

October 03, 2006, 04:27:33 AM Last Edit: October 03, 2006, 02:20:46 PM by Nibbler
in my gallery I have most of my pictures set so that you have to be a registered user to see them.  I felt all secure until I discovered that I could perform a search and return ALL the pictures in my gallery.  Without logging in I went to the search page and I used the OR option and searched for space (" ").  All the pictures in my gallery were returned.  I was then free to click around and view any of them.  Even the admin only restricted group.  I'd post a link but, well, I don't want the world viewing my gallery.

diverdan

#1
October 03, 2006, 04:29:10 AM
oh yeah, forgot to include version info:

URL: https://svn.sourceforge.net/svnroot/coppermine/trunk/stable

Revision: 3301
Node Kind: directory
Schedule: normal
Last Changed Author: gaugau
Last Changed Rev: 3292
Last Changed Date: 2006-09-17 11:57:04 -0700 (Sun, 17 Sep 2006)

Joachim Müller

#2
October 03, 2006, 04:31:50 AM
Please PM me the link

diverdan

#3
October 03, 2006, 08:15:50 AM
looks like this this code just needs some extra parentheses.

This is the sql from my " " search:

mysql> use photogallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') AND aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38);
+----------+
| COUNT(*) |
+----------+
|      985 |
+----------+
1 row in set (0.01 sec)

Too many results!
Here is the result when the OR's are wrapped in parentheses and then compared to AND.

mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE ((title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%')) AND (aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38));
+----------+
| COUNT(*) |
+----------+
|       87 |
+----------+
1 row in set (0.01 sec)

mysql>

Ah, the correct number.

Joachim Müller

#4
October 03, 2006, 11:12:36 AM
I tried accessing the site (using the link you PMed me as requested), but your gallery is currently offline. I will try to replicate the issue on my testbed.

Nibbler

#5
October 03, 2006, 02:14:27 PM
include/search.inc.php

Code Select
$sql .= implode($type, $sections);

That should be

Code Select
$sql .= '(' . implode($type, $sections) . ')';

:-[

diverdan

#6
October 03, 2006, 04:27:45 PM
Indeed, I took the gallery offline once I found the SQL but I just didn't have time to find the adjustment in the PHP.  Picked up the fix with an svn up.  Thanks to you both!
Print
Go Up Pages1
User actions