Security Problem with Comments - Need Fix Asap

Anstey Stephan -- on Feb. 4

Comments on Associate only threads are exposed by the search engine.

Problem has been recorded

Issue description

When a member searches the site the results include comments by our members in theoreticaly secure threads.

Files

Comments.zip 10,668 bytes, 46 downloads
Edited by Dobliu on June 22
Zoom

1 file

Comments

Page bottom

AnsteyER 301 posts	on Feb. 4 I have commented out the code on search.php that searches the comments until this is resolved. If you want me to uncomment and show you my results, let me know. verified that search was done logged completely out verified that comments shown were in associate thread The concern is that we often use the comments for sensitive private data.
Bernard from nearby-an-airport Associate, 6696 posts	on Feb. 7 Ok, I will do the same, and comment out the released code until a solution is find.
Dobliu from L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 203 posts	on Feb. 10 Hello anteyER, it's a major bug in YACS. Several months ago, i have posted a solution on French forum, due i think, a missing of time it was not reused in news releases. Code below in function search file comments.php; it is running with mysql version = or > v4.1, YACS 7.12 or 8.1, Click to fold/unfold / * search for some keywords in all comments * * @param the search string * @param int the offset from the start of the list; usually, 0 or 1 * @param int the number of items to display * @param string the list variant, if any * @return NULL on error, else an ordered array with $url => ($prefix, $label, $suffix, $icon) * * @see search.php * @see services/search.php / function &search($pattern, $offset=0, $count=30, $variant='search') { global $context; // match $match = ''; $words = preg_split('/s/', $pattern); while($word = each($words)) { if($match) $match .= ' AND '; $match .= "MATCH(description) AGAINST('".SQL::escape($word['value'])."')"; } // the list of comments /$query = "SELECT * FROM ".SQL::table_name('comments')." AS comments " ." WHERE ".$match ." ORDER BY comments.edit_date DESC" ." LIMIT ".$offset.','.$count; / // *** search from Dobliu ******** $query = "SELECT p1.* FROM (SELECT * FROM ".SQL::table_name('comments')." AS comments " ." WHERE ".$match ." ORDER BY comments.edit_date DESC) AS p1,".SQL::table_name('articles') . " AS articles,".SQL::table_name('sections') ." AS sections WHERE p1.anchor_id = articles.id AND sections.id = articles.anchor_id"; // limit the scope of the request $query .= " AND (sections.active='Y'"; // add restricted items to members, or if teasers are allowed if(Surfer::is_logged() \|\| !isset($context['users_without_teasers'])\|\|($context['users_without_teasers '] != 'Y')) $query .= " OR sections.active='R'"; // add associate if(Surfer::is_empowered('S')) $query .= " OR sections.active='N'"; // include managed sections if(count($my_sections = Surfer::assigned_sections())) $query .= " OR sections.id LIKE ".join(" OR sections.id LIKE ", $my_sections); $query .= ") LIMIT ".$offset.','.$count; // **** search from Dobliu ********** $output =& Comments::list_selected(SQL::query($query), $variant); return $output; }
Bernard from nearby-an-airport Associate, 6696 posts	inspired from dobliu on Feb. 10 Dobliu: What is the minimum version of MySQL that supports combined SELECT statements such as the one you propose ?
Dobliu from L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 203 posts	on Feb. 10 Bernard: "subselect" in Mysql 4.1, better compliance with SQL specifications. Below 4.1, only `INSERT ... SELECT ...` and `REPLACE ... SELECT ...`, but i have not checked . I use mysql 5; in others case using JOIN instruction can be a solution.
Dobliu from L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 203 posts	on Mar. 7 hello all where is the search comment patch ? Bernard, do you have a feeback on the suggested fix ? is it in version 8.2 ? bye ...
AnsteyER 301 posts	on Mar. 7 I am using mysql MySQL 5.0.24 are there any particular settings that might be wrong in my version?
AnsteyER 301 posts	inspired from ansteyER on Mar. 7 So i should find comment.php and replace the function there with this code?
Dobliu from L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 203 posts	on Mar. 7 hello ansteyER : do you have opened the folder in above comment : "Hello anteyER, it's a major bug in YACS. Several months ago, i have posted a solution on French forum, due i think, a missing of time it was not reused in news releases. Code below in function search file comments.php; it is running with mysql version = or > v4.1, YACS 7.12 or 8.1, Cliquer pour plier/déplier "
Bernard from nearby-an-airport Associate, 6696 posts	on June 20 Dobliu, at the moment the core code of yacs does not allow for search requests in comments, nor in links, to preserve confidentiality. If you wish, please provide an updated version of `search.php` and of related scripts, that could be integrated in July release.
Dobliu from L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 203 posts	on June 22 Dear YACSER'S, Find attached this latest update of comments.php file release 8.1. Don't forget to activate the search in comments (search.php) i am very busy during last days, and for the 8.5 release, i have not make a revision. Bye ... comments.zip

11 comments

Rate this page
Posted by AnsteyER on Feb. 4, commented by Dobliu on June 22, (popular)