coppermine-gallery.com/forum

Support => Older/other versions => cpg1.2 Standalone Support => Topic started by: Nerd3D on March 04, 2004, 09:53:32 PM

Title: Bug? Users can view any gallery, just edit URL
Post by: Nerd3D on March 04, 2004, 09:53:32 PM
I think this is a security hole, A user can view any gallery or image. just edit the URL in the browser to a differet gallery number. Shouldn't thumbnails.php and displayimage.php check permissions?
Title: Bug? Users can view any gallery, just edit URL
Post by: Casper on March 04, 2004, 11:38:33 PM
CPG does check permissions, and unlogged users cannot normally view the pics by following the steps you detailed.
How exactly are you experiencing this.
Title: Just paste the URL in any web browser
Post by: Nerd3D on March 05, 2004, 12:11:46 AM
http://www.whatever.com/gallery/thumbnails.php?album=3

Just change the album number to see any album. Verified broken in IE and MOZ. I can even view the album with cookies completely diasbled. From there I can click any picture to view it unhindered, log in or not ,cookies or not.
Title: Bug? Users can view any gallery, just edit URL
Post by: Casper on March 05, 2004, 12:21:56 AM
Your link is broken (edit DOH, I was tired lol).  Have you modified any files.
Title: Bug? Users can view any gallery, just edit URL
Post by: omniscientdeveloper on March 05, 2004, 12:27:23 AM
You should post a link to your site. I'm not experiencing what you stated on mine. Something's most likely wrong with your install. I'd try downloading a new copy of displayimage.php and thumbnails.php from the CVS.
Title: Of course it is...
Post by: Nerd3D on March 05, 2004, 12:31:23 AM
I changed the dot.com because the gallery we are running is (supposed to be) private.

The only but is that we are running the YaBB bridge. And I applied the mod to allow admins to see "Registered User Only" galleries. Bit that mod only effects Index.php this is in thunbnails.php I can also just enter an album and image number in displayimage.php to get the same result.

If the implementors would like I can email somebody the real URL.
Title: Bug? Users can view any gallery, just edit URL
Post by: omniscientdeveloper on March 05, 2004, 12:34:47 AM
From my understanding, when you bridge coppermine with another application like YABB and PHPBB, it uses the users from those apps. If this is correct, then there is something wrong with your user setup in YABB.
Title: Don't think so.
Post by: Nerd3D on March 05, 2004, 12:50:02 AM
The YaBB install is completely stock and if the user is logged out it doesn't let them in. Just like it shouldn't
Title: Plus...
Post by: Nerd3D on March 05, 2004, 12:51:42 AM
If the logged out user goes to the index page they only see the albums that are public, which is correct (Of course the album count if for all the albums which is wrong but that's a different bug.)
Title: Bug? Users can view any gallery, just edit URL
Post by: omniscientdeveloper on March 05, 2004, 12:56:21 AM
Try downloading a new copy of CPG first. I can't look at your site.
Title: Already tried
Post by: Nerd3D on March 05, 2004, 01:01:37 AM
I already tried re-downloading and installing everything. I got the new displayimage and thumbnail from CVS.

Try the link I sent to you via IM.
Title: Not a matter of intergation into the BBS either
Post by: Nerd3D on March 05, 2004, 03:42:12 AM
I just clean installed it again (no bridge), added a couple of albums and then hit the search tool. It shows images from every album reguardless of permission clicking on the image takes me right to a picture in a "Registerd User" gallery. BIG HOLE

I've dug through thumbnails.php I'm no PHP wiz, but I can't see where it's actually checking to see what group the user is in. Some place I should be seeing something like...
if ($alb_thumb['visibility'] == 0 || $alb_thumb['visibility'] == $USER_DATA['group_id'] ) {

The Goods
} else {
Get lost message || just nothing at all.
}


Right?
Title: Found some relevant info
Post by: Nerd3D on March 05, 2004, 04:43:15 AM
This is caused by setting " Users can have private albums" to "no" if it's set to yes it works right. I don't even know where to start lookin for that one. I didn't try it without the bridge like this, but the fact that changing the setting in config turns the bug on and off absolves the bridge settings.
Title: Re: Found some relevant info
Post by: Tarique Sani on March 05, 2004, 06:35:19 AM
Quote from: "Nerd3D"This is caused by setting " Users can have private albums" to "no" if it's set to yes it works right.

The above is plain english -
Q: Users can have private albums?
A: no

OK there are are no private albums in this gallery because the Admin dictates that there cannot be any - End of arguement :)

P.S. I have added a warning in english.php to the effect
Title: Bug? Users can view any gallery, just edit URL
Post by: omniscientdeveloper on March 05, 2004, 06:36:19 AM
Ok.

I see what you're talking about now, and after some discussion with established members, ;) I've found out that this isn't a bug. The word "users", in that sentence, is all inclusive, so setting that field to "no" has a global effect, making all your private albums public.
Title: Oh, I get it
Post by: Nerd3D on March 05, 2004, 07:18:15 AM
Oh, so this means that "User's albums can't be private" not "Users can't have private albums" and "private" means hidden not personal.

When I read help page I wasn't thinking of non-registered visitors as "users". I suppose I should have caught on when I saw the Anonymous users group. You might mention in the help page that turning this off will make all images available to everybody, even if the album is hidden.

This brings up a question, why can the album be hidden from certain groups but not the pictures in it?


P.S. Sorry to be a bother about this.