Help Center Live Community

Support => Installation Help & Software Support => Topic started by: alaor on March 19, 2008, 08:28:36 PM



Title: bug in permissions - vulnerability
Post by: alaor on March 19, 2008, 08:28:36 PM
hello

im trying to understand how to protected my hcl ap against users that know hcl.

example:
i dont need to be logged to upload a file with sucess....

if i try to go direct to this urls. 
http://mydomain.com/hcl/live/chat/admin.php

or

http://mydomain.com/hcl/live/chat/upload.php (here its possible to upload files without be logged)

or

http://mydomain.com/hcl/live/chat/display.php (here the display aparently shows the last conversation trasncrption)

what can i do fix this permissions bugs ???

thanks




Title: Re: bug in permissions - vulnerability
Post by: blitzen on March 23, 2008, 07:08:58 PM
This is a serious question that needs a fix. Our server just got hacked and they uploaded files and files filling up the disk. This shut down websites. I don't know if it was from the bug that alaor cited that is responsible for the hack.

Meanwhile, we disable this by removing the <form... name="upload" ...> elments in the templates (template/Bliss directory),
chat_admin.tpl
and
chat_upload.tpl


Title: Re: bug in permissions - vulnerability
Post by: naturalangle on March 24, 2008, 09:34:23 AM
You know what, I noticed this also, and for me.. Im finding that HCL is just not right for what I want.
This is a terrible bug, and the fact that I cant even get HCL to work on a normal install just stops me from wanting to trying fixing it anymore. I'm sure a lot of other users are not having as much trouble as I am so for them HCL can be great, unfortunately I'm uninstalling it and looking for something else.


Title: Re: bug in permissions - vulnerability
Post by: alaor on March 24, 2008, 03:16:16 PM
blitzen.. i will try do disable upload functions too, but this is not the only problem in my opinion.

i dont know if i was a to much freak about security stuff, but this bug permit anyone to list all users in hcl system...

and for me this is not good thing.... all we know, common users are not good to create and use strong passwords....

so if i was tryng to hacking something after discover all users name, i can try to break passwords from users and loged in like a real operator... this is make me really apreensive...

think about it... someone log in your system and talk with yout customers like a real operator ?!!!!!! ???

but i?m will not quit hcl totally... its a good tool but needs to be repared.... so until we had some response from hcl dev team about this bug i suggest you to check crafty syntax too....im testing this tool yet, but it appears a little more robust about security things....

that is it people... sorry about my poor english...

alaor



Title: Re: bug in permissions - vulnerability
Post by: alaor on March 26, 2008, 06:57:37 PM
ok. im tryng to fix this @#$@ing bug....

im not php expert, i prefere .net/java...

but with some help i create one include that maybe fix this problem...

so here we go...

1-  with some help i create in class folder one file called valida.php with following code

<?
//special thanks to lfcosta that helps me to understant a little bit php

if(!isset($_SESSION['hcl_username']) || $_SESSION['hcl_username'] == ""){
   header("Location: /root/mysite/hcl/admin/login.php");
   exit;
   }
?>


2- so how i say i?m not expert in php... so this code can be ajusted... the objetive of this code is just to check one more time, if exist something in variable username ... so if exist we presume the user is logged....


3- then we put this  include in the end of all files located in hcl/live/chat folder

exempla:

   // do events that need to be done at the end of the file
    $inc->finished();

// lets check if exist some user logged with our new include
     require('../../class/valida.php');

thats is it...

4 - now when user not logged try to acess direclty the files located in hcl/live/chat folder he was redirected to login page


aparently dont affect anything in system. but solve the problem...... if someone have a better solution please tell me here

thanks and good luck