forex trading logo

Home Community ccBoard - Bugs/Security Issues New Topic Image Security Issue
 Support Forum :: ccBoard - Bugs/Security Issues
Board Index Latest Posts Welcome Guest   [Register]  [Login]
« StartPrev12NextEnd »
 Subject :New Topic Image Security Issue.. 2009-03-30 11:49:41 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 

Well I just installed ccBoard and its fantastic so far but I've ran into a small security problem.

Many individuals like to secure the /administrator directory using .htaccess on an apache server, with this being done, the image that is used to post a "New Topic", looks like a board with a star on it, is located in /administrator/images/*

If users use .htaccess for their /administrator directory, every time an visitor views a forum, a username/password box pops up asking for /administrator acess to retrieve the /administrator/images/new_f2.png file

For the time being, a work around to this can be to copy the new_f2.png image from /administrator/images into the /componets/com_ccboard/assets folder and modify the file; components/com_ccboard/views/topiclist/tmpl/default.php

There are 2 lines in that php script that reference /administrator/images/new_f2.png

Change those 2 lines to referencecomponents/com_ccboard/assets/new_f2.png

There may be a few more security issues that relate to this type of configuration, If i find more I will definately post them.

 

 
IP Logged
There's no place like 127.0.0.1
 Subject :Re: New Topic Image Security Issue.. 2009-03-30 12:13:08 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 
More images are also affected including stop.png, paste_f2.png, restore_f2.png, restore.png that are found in /components/com_ccboard/views/postlist/tmpl/default.php
IP Logged
There's no place like 127.0.0.1
 Subject :Re: New Topic Image Security Issue.. 2009-03-30 20:54:18 
thomas
Admin
Joined: 2008-12-13 17:16:30
Posts: 2,545
Location: Aluva, India
 

Thanks george. I have already taken care of this for the next release.

Thank you for valuable time and effort and really appreciate the same.

Thanks

Thomas

 
IP Logged
Together we can make history :star:
 Subject :Re: New Topic Image Security Issue.. 2009-03-31 09:53:52 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 
no prob, I'll definitely provide as much input as I can to better the project, great job so far :)
IP Logged
There's no place like 127.0.0.1
 Subject :Re: New Topic Image Security Issue.. 2009-03-31 09:59:07 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 

I just found another issue with the "post editor" but i cannot find out what it is requesting from /administrator/

I'll post my findings once i discover the what the problem is.

IP Logged
There's no place like 127.0.0.1
 Subject :Re: New Topic Image Security Issue.. 2009-03-31 10:06:25 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 
Well I discovered the problem, The file; components/com_ccboard/views/post/tmpl/default.php references

<img src="/<?php echo $this->path; ?>administrator/images/edit_f2.png" height="24" width="24" />
<img src="/<?php echo $this->path; ?>administrator/images/stop_f2.png" height="24" width="24" />
<img src="/<?php echo $this->path; ?>administrator/images/paste_f2.png" height="24" width="24" />

Those need to be changed to reference the images located in components/com_ccboard/assets/

Example;
<img src="/<?php echo $this->path; ?>components/com_ccboard/assets/edit_f2.png" height="24" width="24" />
<img src="/<?php echo $this->path; ?>components/com_ccboard/assets/stop_f2.png" height="24" width="24" />
<img src="/<?php echo $this->path; ?>components/com_ccboard/assets/paste_f2.png" height="24" width="24" />

Also make sure those images are are copied from the /administrator/images folder to the /components/com_ccboard/assets/ folder or you'll see Image errors in the browser.
IP Logged
There's no place like 127.0.0.1
 Subject :Re: New Topic Image Security Issue.. 2009-04-20 15:47:18 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 

wow 17,000 views almost on this thread, holy cow. I'm guessing this is the most viewed thread on the site :)

 Apparently this must have been a very common problem.

IP Logged
There's no place like 127.0.0.1
 Subject :Re: New Topic Image Security Issue.. 2009-04-22 05:56:52 
Noody
Serious
Joined: 2009-01-09 18:21:50
Posts: 76
Location
Any thread with the phrase "Security Issue" in it is going to get a lot of attention.
IP Logged
AKA "Noddy"
 Subject :Re:New Topic Image Security Issue.. 2009-04-27 05:10:39 
mgeorge
Fresher
Joined: 2009-03-30 11:21:10
Posts: 19
Location: Lexington, KY
 
This issue was fixed in 1.0RC, upgrade and this wont be a problem.
IP Logged
There's no place like 127.0.0.1
 Subject :Re:New Topic Image Security Issue.. 2009-09-29 05:58:32 
sameevtl
Fresher
Joined: 2009-09-29 07:57:03
Posts: 1
Location
Hi This Test Massage from its4
IP Logged
test
« StartPrev12NextEnd »
Page # 


Powered by ccBoard



Latest News

Latest Posts

More...


Popular Posts


Powered by Joomla!. Designed by: Joomla Template, url. Valid XHTML and CSS.

© 2008-2009 CODECLASSIC.ORG. All Rights Reserved.