Help Center Live Community
April 19, 2014, 06:01:57 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: bug in permissions - vulnerability  (Read 4282 times)
alaor
Not too much to say...
*
Offline Offline

Posts: 4


« on: March 19, 2008, 08:28:36 PM »

hello

im trying to understand how to protected my hcl ap against users that know hcl.

example:
i dont need to be logged to upload a file with sucess....

if i try to go direct to this urls. 
http://mydomain.com/hcl/live/chat/admin.php

or

http://mydomain.com/hcl/live/chat/upload.php (here its possible to upload files without be logged)

or

http://mydomain.com/hcl/live/chat/display.php (here the display aparently shows the last conversation trasncrption)

what can i do fix this permissions bugs Huh

thanks


« Last Edit: March 19, 2008, 09:26:39 PM by alaor » Logged
blitzen
Not too much to say...
*
Offline Offline

Posts: 12


« Reply #1 on: March 23, 2008, 07:08:58 PM »

This is a serious question that needs a fix. Our server just got hacked and they uploaded files and files filling up the disk. This shut down websites. I don't know if it was from the bug that alaor cited that is responsible for the hack.

Meanwhile, we disable this by removing the <form... name="upload" ...> elments in the templates (template/Bliss directory),
chat_admin.tpl
and
chat_upload.tpl
« Last Edit: March 23, 2008, 07:24:23 PM by blitzen » Logged
naturalangle
Not too much to say...
*
Offline Offline

Posts: 10


« Reply #2 on: March 24, 2008, 09:34:23 AM »

You know what, I noticed this also, and for me.. Im finding that HCL is just not right for what I want.
This is a terrible bug, and the fact that I cant even get HCL to work on a normal install just stops me from wanting to trying fixing it anymore. I'm sure a lot of other users are not having as much trouble as I am so for them HCL can be great, unfortunately I'm uninstalling it and looking for something else.
Logged
alaor
Not too much to say...
*
Offline Offline

Posts: 4


« Reply #3 on: March 24, 2008, 03:16:16 PM »

blitzen.. i will try do disable upload functions too, but this is not the only problem in my opinion.

i dont know if i was a to much freak about security stuff, but this bug permit anyone to list all users in hcl system...

and for me this is not good thing.... all we know, common users are not good to create and use strong passwords....

so if i was tryng to hacking something after discover all users name, i can try to break passwords from users and loged in like a real operator... this is make me really apreensive...

think about it... someone log in your system and talk with yout customers like a real operator ?!!!!!! Huh

but i?m will not quit hcl totally... its a good tool but needs to be repared.... so until we had some response from hcl dev team about this bug i suggest you to check crafty syntax too....im testing this tool yet, but it appears a little more robust about security things....

that is it people... sorry about my poor english...

alaor

Logged
alaor
Not too much to say...
*
Offline Offline

Posts: 4


« Reply #4 on: March 26, 2008, 06:57:37 PM »

ok. im tryng to fix this @#$@ing bug....

im not php expert, i prefere .net/java...

but with some help i create one include that maybe fix this problem...

so here we go...

1-  with some help i create in class folder one file called valida.php with following code

<?
//special thanks to lfcosta that helps me to understant a little bit php

if(!isset($_SESSION['hcl_username']) || $_SESSION['hcl_username'] == ""){
   header("Location: /root/mysite/hcl/admin/login.php");
   exit;
   }
?>


2- so how i say i?m not expert in php... so this code can be ajusted... the objetive of this code is just to check one more time, if exist something in variable username ... so if exist we presume the user is logged....


3- then we put this  include in the end of all files located in hcl/live/chat folder

exempla:

   // do events that need to be done at the end of the file
    $inc->finished();

// lets check if exist some user logged with our new include
     require('../../class/valida.php');

thats is it...

4 - now when user not logged try to acess direclty the files located in hcl/live/chat folder he was redirected to login page


aparently dont affect anything in system. but solve the problem...... if someone have a better solution please tell me here

thanks and good luck


Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.8 | SMF © 2006-2008, Simple Machines LLC Valid XHTML 1.0! Valid CSS!
Page created in 0.16 seconds with 19 queries.

Google visited last this page April 14, 2014, 07:59:19 AM