BUG: PHP Anonymous User Security BUG: PHP Anonymous User Security
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

BUG: PHP Anonymous User Security

Started by kylemallory, March 30, 2004, 05:36:52 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

kylemallory

I'm currently running CPM 1.1.0 (Upgrade, I know), and I've found that when I log in as Anonymous (belonging to the Anonymous group) - if I am browsing the "home" category, and click to display the most recent uploaded images, or the top rated, or the most recent comments, it will display images from all albums, even private ones.

Can anyone provide me with some information on how I can modify the SQL query to only shows thumbnails from albums which the user has access to?  If it is possible at all...

Hopefully this can be done without requiring me to upgrade to 1.2.1, as I've made some significant changes to my install.

Thanks,


Kyle Mallory
Mallory Multimedia, LLC
www.mallory-multimedia.com

Joachim Müller

recent and random do respect the privacy settings, even in older versions of coppermine. Make sure you are logged out or logged in as user who shouldn't have permissions to see the private albums when testing this.
Also make sure you're using an unmodified version of coppermine - maybe you have applied a mod that will disable the permission checking.
To tell you more, post a link and a test account of a user with slightly enhanced permissions (can see at least one private gallery).

GauGau

P.S. don't shout out "bug" so loud if you're not sure, some devs tend to react very sensitive, since "bug" implies "your code is bad", sort of. :wink:

kylemallory

Thanks GauGau,

I did make some minor modifications on my own, essentially I wanted to require a login from all users before showing them anything - nothing that *should* have altered the functionality of the Last Comments/Most Viewed/Top Rated thumbnail views.

I did try and access the website using a privilage user, and had the same results.

The category view properly shows only those Galleries and Albums which are viewable by the user, as well as public ones viewable by everyone/anonymous.  However, when I still see thumbnails for other private groups.

Here is a link/example:

www.mallory-multimedia.com/Intranet/Gallery

Anonymous User:   Anonymous/guest - can only view "Snowboarding Pictures" category.

Privilaged User:  Brian Larsen/blarsen - can view private gallery "Death Rides The Nine", and public gallery "Snowboarding Pictures".

If you login as either user, DO NOT click on any of the categories, and then click "Last comments", you will see 5 images for an "ELYTE" logo which belongs to another users private album.  If you click on "Most Viewed", you will see additional Elyte Logos, as well as product shots of various mineral bottles, also belonging to a third private album.


It is possible I screwed something up in making my own mods, but I'm sure I've not made modifications on the thumbnail views.

Any ideas?

Yeah, I suppose the "BUG" was a bit premature - especially considering I have done some mods of my own.  Sorry about that...

Kyle

Casper

I don't see the point in making someone login, and then providing them with an anonymous account.  But the fact is, they are logged in.

What groups are b larsen and anonymous assigned to? look at their profile and see if any other boxes are ticked.

And what groups the restricted albums restricted to?
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

kylemallory

Originally I didn't allow anonymous users, only existing clients could access the gallery.  I've since starting photographing public events, and will eventually allow people to purchase prints of the photos online, without anyone ever establishing a client relationship.  However, I don't want to clutter the front-page for professional clients with unrelated photographs.

Anonymous is assigned to the "Anonymous" group.  User is Active: Yes.  No other "boxes to tick" for the user profiles.  All other fields are blank.

blarsen is assigned to the "DeathRides" group. User is Active: Yes.  All other fields, except "User occupation" is blank.

Within the group settings:

Anonymous : 0 kb quota -  Rate:Yes - eCards:Yes - Comments:Yes - Upload:No - Pub.Upl:Yes - Personal:No - Priv.Upl:Yes

DeathRides : 0kb quota - Rate:Yes - eCard:No - Comments:Yes - Upload:Yes - Pub.Upl:Yes - Personal:No - Priv.Upl:Yes


Is there something else that I might be missing?

Casper

In admin mode, click on users, find user 'anonymous', and click on the edit button.

Now lookk at the tick boxes under the usergroup box.  Is the registered user box ticked, as well as the anonymous, like in this pic;
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.langportrd.f2s.com%2Fss%2Fanon.jpg&hash=34509f7960d76730acb1135049d9ffd2e827aa64)

Make sure it's not ticked.
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

kylemallory

I'm guessing you missed the beginning of the thread where I said I was using "CPM 1.1.0"...    :)

So what you are telling me is that I need to upgrade, and try and port my mods to the latest version.

Any other last minute suggestions?  New SQL queries in the PHP code that might remedy/explain the problem?