|
|
|
|
Re:Permissions Issue in Fireboard Searchbot 1.2.1 (1 viewing) (1) Guest
Favoured: 0
|
|
|
TOPIC: Re:Permissions Issue in Fireboard Searchbot 1.2.1
|
brianjd (User)
Fresh Boarder
Posts: 1
|
|
Permissions Issue in Fireboard Searchbot 1.2.1 5 Months, 1 Week ago
|
Karma: 0
|
I thought I would let you know about a potential security issue with your Fireboard Searchbot. When Fireboard boards are setup for Any Registered user to have aceess, they are given a public_access value of -1. Since this is lower than the public public_access value of 0, messages on these boards are returned for searches when there should be no permission to do so.
I am including my fixes for your reference.
In fireboard.searchbot.php (code modified to remove uneeded slash-n comibnations, due to fireboard code glitch), starting at line 355:
| Code: |
// *****************************************************
// *****************************************************
// - Get the search results for the forum categories:
$query = "SELECT c.name AS title,"
. " c.description AS text,"
. " c.hits,"
. " c.pub_access,"
. " c.published,"
. " '' AS created,"
. " '$section_name' AS section,"
. " '2' AS browsernav,"
. " CONCAT('index.php?option=com_fireboard&Itemid=', '$Itemid', '&func=showcat&catid=',c.id) AS href"
. " FROM #__fb_categories AS c"
. " WHERE ( $whereA )"
. " AND c.published = 1";
if ($access == 0) {
$query .= " AND c.pub_access = 0";
} else {
$query .= " AND c.pub_access <= $access";
}
$query .= " ORDER BY $orderA";
$database->setQuery( $query, 0, $limit );
$row1 = $database->loadObjectList();
// *****************************************************
// *****************************************************
// - Get the search results for the forum post messages:
$query2 = "SELECT b.subject AS title,"
. " a.message AS text,"
. " b.hits,"
. " c.pub_access,"
. " c.published,"
. " c.description,"
. " FROM_UNIXTIME(b.time) AS created,"
. " CONCAT('$section_name','/', c.name) AS section,"
. " '2' AS browsernav,"
. " CONCAT('index.php?option=com_fireboard&Itemid=', '$Itemid', '&func=view&catid=',b.catid,'&id=',b.thread) AS href"
. " FROM #__fb_messages_text AS a"
. " INNER JOIN #__fb_messages AS b ON b.id = a.mesid"
. " INNER JOIN #__fb_categories AS c ON c.id = b.catid"
. " WHERE ( $whereB )"
. " AND c.published = 1";
if ($access == 0) {
$query2 .= " AND c.pub_access = 0";
} else {
$query2 .= " AND c.pub_access <= $access";
}
$query2 .= " ORDER BY $orderB";
$database->setQuery( $query2, 0, $limit );
$row2 = $database->loadObjectList();
|
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
vujsa (Admin)
Admin
Posts: 138
|
|
Re:Permissions Issue in Fireboard Searchbot 1.2.1 5 Months, 1 Week ago
|
Karma: 4
|
|
Thank you very much for this report. Feedback on the projects here always make the end product better. After all, I can't foresee every possible problem nor can I fully test every possible configuration that might affect the script.
I would like to pint out to anyone that may read this and be concerned, While the SearchBot may return results that the user is now allowed to view, FireBoard and Joomla will not allow them to see the actual resource. So for now, I will categorize this as a permissions issue but unlikely to be a true security issue.
I will address this issue in the next update of the script.
Again, thank you,
vujsa
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
|
|
|
|
|
Forum 
