Guest Edit Own Comments? Guest Edit Own Comments?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Guest Edit Own Comments?

Started by chugger93, March 03, 2008, 03:31:34 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

chugger93

I'm new to coppermine, and just installed.  I've made it so that guests can basically post comments, or rate.  I've posted a comment as a guest and it then gives me the option to edit or delete it.  I figured "ok fine, I'll close my browser and go back" just in case it was that session only. Still allows me too.  Is this normal behavior? How can I make them not edit or delete.  Right now to me its a big security flaw..unless Im missing something in the config.

Joachim Müller

If you allow guest comments, how could this be a security flaw? If you only want to allow guest comments, but want to disallow them to edit or delete them, then search the board - a hack has been posted that does what you're up to.

chugger93

I'll tell you how its a security hazard.  Because any guest that comes on coppermine can edit or delete someone elses comment.  At least from what my testing yields.

Nibbler

Guests can only edit their own comments. I'm guessing you didn't clear cookies between tests.

Joachim Müller

Quote from: chugger93 on March 03, 2008, 03:12:00 PM
I'll tell you how its a security hazard.  Because any guest that comes on coppermine can edit or delete someone elses comment.  At least from what my testing yields.
Even if this was the case you can hardly call this a security hazard, as no sensitive data (admin info etc) is being compromized. As Nibbler suggested: guests are being authentificated using cookies, so yes: if a user is clever enough, he can delete his cookies and then re-post a comment and thus circumvent comment flooding. If you're concerned about that, disallow anonymous comments.
If you're convinced that this is not the case and guest 1 can actually edit the comment of guest 2, post a link to your gallery for a start.