Security: Latest posts shows locked areas!

Discussion in 'Bugs Report and Tracking' started by rony, Sep 3, 2009.

  1. rony New Member

    Security issue: We have on forum.iphone.cz locked area, but latest posts shows messages from this section!
    rony, Sep 3, 2009
    #1

  2. rony New Member

    Patch: get_new_topic.php

    Inserted code between

    // begin of inserted code
    // end of inserted cose

    Code:
    <?php

defined('IN_MOBIQUO') or exit;

function get_new_topic_func()
{
    global $db, $auth;
    
    $sql = 'SELECT f.forum_id, 
                   f.forum_name,
                   t.topic_id,
                   t.topic_title, 
                   t.topic_replies,
                   t.topic_last_post_id,
                   t.topic_last_poster_id,
                   t.topic_last_poster_name,
                   t.topic_last_post_time
            FROM '. TOPICS_TABLE .' t, '. FORUMS_TABLE .' f  
            WHERE f.forum_id = t.forum_id 
              AND t.topic_approved = 1
            ORDER BY t.topic_last_post_time DESC';

    $result = $db->sql_query_limit($sql, 20);

    $topic_list = array();
    while ($row = $db->sql_fetchrow($result))
    {
// begin of inserted code  
    // Permissions check
      if (!$auth->acl_gets('f_list', 'f_read', $row['forum_id']))
      {
        // user has no permission
      }else{
        // access granted
// end of inserted cose        
        $topic_id = $row['topic_id'];
        $forum_id = $row['forum_id'];
        $short_content = get_short_content($row['topic_last_post_id']);
        $topic_tracking = get_complete_topic_tracking($forum_id, $topic_id);
        $new_post = $topic_tracking[$topic_id] < $row['topic_last_post_time'] ? true : false;

        $xmlrpc_topic = new xmlrpcval(array(
            'forum_id'          => new xmlrpcval($forum_id),
            'forum_name'        => new xmlrpcval(trans_html_char($row['forum_name']), 'base64'),
            'topic_id'          => new xmlrpcval($topic_id),
            'topic_title'       => new xmlrpcval(trans_html_char(censor_text($row['topic_title'])), 'base64'),
            'reply_number'      => new xmlrpcval($row['topic_replies'], 'int'),
            'short_content'     => new xmlrpcval($short_content, 'base64'),
            'post_author_id'    => new xmlrpcval($row['topic_last_poster_id']),
            'post_author_name'  => new xmlrpcval(trans_html_char($row['topic_last_poster_name']), 'base64'),
            'new_post'          => new xmlrpcval($new_post, 'boolean'),
            'post_time'         => new xmlrpcval(mobiquo_iso8601_encode($row['topic_last_post_time']), 'dateTime.iso8601')
        ), 'struct');

        $topic_list[] = $xmlrpc_topic;
// begin of inserted code          
      }
// end of inserted code  
    }
      $db->sql_freeresult($result);

    return new xmlrpcresp(new xmlrpcval($topic_list, 'array'));
} // End of get_new_topic
    
?>
    Patch by drsny - forum.iphone.cz
    rony, Sep 4, 2009
    #2

  3. Jayeley Plugin Developer

    Yes, I can see this situation. Our permission check is on get thread level. The short content in the latest posts list may let out some information. We'll take care of this problem and update the installing package soon.

    Thanks very much for your report, rony!
    Jayeley, Sep 4, 2009
    #3

  4. winter Tapatalk Master

    Excellent discovery - we will provide a new build in next 24 hours and will announce it to all phpBB forum owners via email.

    Thanks again.
    winter, Sep 4, 2009
    #4

  5. winter Tapatalk Master

    This is fixed in 1.0.1 plugin. Case closed.
    winter, Sep 10, 2009
    #5

Share This Page

Tapatalk is a registered trademarks of Quoord Systems Limited.

All other products and services names mentioned may belong to their respective trademark owners.