Bug? Users can view any gallery, just edit URL Bug? Users can view any gallery, just edit URL
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Bug? Users can view any gallery, just edit URL

Started by Nerd3D, March 04, 2004, 09:53:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Nerd3D

March 04, 2004, 09:53:32 PM
I think this is a security hole, A user can view any gallery or image. just edit the URL in the browser to a differet gallery number. Shouldn't thumbnails.php and displayimage.php check permissions?
Happy Rendering

Casper

#1
March 04, 2004, 11:38:33 PM
CPG does check permissions, and unlogged users cannot normally view the pics by following the steps you detailed.
How exactly are you experiencing this.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Nerd3D

#2
March 05, 2004, 12:11:46 AM
http://www.whatever.com/gallery/thumbnails.php?album=3

Just change the album number to see any album. Verified broken in IE and MOZ. I can even view the album with cookies completely diasbled. From there I can click any picture to view it unhindered, log in or not ,cookies or not.
Happy Rendering

Casper

#3
March 05, 2004, 12:21:56 AM
Your link is broken (edit DOH, I was tired lol).  Have you modified any files.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

omniscientdeveloper

#4
March 05, 2004, 12:27:23 AM
You should post a link to your site. I'm not experiencing what you stated on mine. Something's most likely wrong with your install. I'd try downloading a new copy of displayimage.php and thumbnails.php from the CVS.

Nerd3D

#5
March 05, 2004, 12:31:23 AM
I changed the dot.com because the gallery we are running is (supposed to be) private.

The only but is that we are running the YaBB bridge. And I applied the mod to allow admins to see "Registered User Only" galleries. Bit that mod only effects Index.php this is in thunbnails.php I can also just enter an album and image number in displayimage.php to get the same result.

If the implementors would like I can email somebody the real URL.
Happy Rendering

omniscientdeveloper

#6
March 05, 2004, 12:34:47 AM
From my understanding, when you bridge coppermine with another application like YABB and PHPBB, it uses the users from those apps. If this is correct, then there is something wrong with your user setup in YABB.

Nerd3D

#7
March 05, 2004, 12:50:02 AM
The YaBB install is completely stock and if the user is logged out it doesn't let them in. Just like it shouldn't
Happy Rendering

Nerd3D

#8
March 05, 2004, 12:51:42 AM
If the logged out user goes to the index page they only see the albums that are public, which is correct (Of course the album count if for all the albums which is wrong but that's a different bug.)
Happy Rendering

omniscientdeveloper

#9
March 05, 2004, 12:56:21 AM
Try downloading a new copy of CPG first. I can't look at your site.

Nerd3D

#10
March 05, 2004, 01:01:37 AM
I already tried re-downloading and installing everything. I got the new displayimage and thumbnail from CVS.

Try the link I sent to you via IM.
Happy Rendering

Nerd3D

#11
March 05, 2004, 03:42:12 AM
I just clean installed it again (no bridge), added a couple of albums and then hit the search tool. It shows images from every album reguardless of permission clicking on the image takes me right to a picture in a "Registerd User" gallery. BIG HOLE

I've dug through thumbnails.php I'm no PHP wiz, but I can't see where it's actually checking to see what group the user is in. Some place I should be seeing something like...
Code Select
if ($alb_thumb['visibility'] == 0 || $alb_thumb['visibility'] == $USER_DATA['group_id'] ) {

The Goods
} else {
Get lost message || just nothing at all.
}


Right?
Happy Rendering

Nerd3D

#12
March 05, 2004, 04:43:15 AM
This is caused by setting " Users can have private albums" to "no" if it's set to yes it works right. I don't even know where to start lookin for that one. I didn't try it without the bridge like this, but the fact that changing the setting in config turns the bug on and off absolves the bridge settings.
Happy Rendering

Tarique Sani

#13
March 05, 2004, 06:35:19 AM
Quote from: "Nerd3D"This is caused by setting " Users can have private albums" to "no" if it's set to yes it works right.

The above is plain english -
Q: Users can have private albums?
A: no

OK there are are no private albums in this gallery because the Admin dictates that there cannot be any - End of arguement :)

P.S. I have added a warning in english.php to the effect
SANIsoft PHP applications for E Biz

omniscientdeveloper

#14
March 05, 2004, 06:36:19 AM
Ok.

I see what you're talking about now, and after some discussion with established members, ;) I've found out that this isn't a bug. The word "users", in that sentence, is all inclusive, so setting that field to "no" has a global effect, making all your private albums public.

Nerd3D

#15
March 05, 2004, 07:18:15 AM
Oh, so this means that "User's albums can't be private" not "Users can't have private albums" and "private" means hidden not personal.

When I read help page I wasn't thinking of non-registered visitors as "users". I suppose I should have caught on when I saw the Anonymous users group. You might mention in the help page that turning this off will make all images available to everybody, even if the album is hidden.

This brings up a question, why can the album be hidden from certain groups but not the pictures in it?


P.S. Sorry to be a bother about this.
Happy Rendering
Print
Go Up Pages1
User actions