...

Home
News
Joomla Extensions
Research
Downloads
Programming
Graphic Design
Me
Forum
Gallery
What I Don't Know Wiki
Search
Links
Contact Me
Bibliography
Administrator

Login

Who's Online

Google








Home arrow Programmingarrow Joomla Extensionsarrow security problem ??
Discussion Forum
January 09, 2009, 01:23:37 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: SMF - Just Installed!
 
   Home   Help Search Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: security problem ??  (Read 821 times)
tyuser
Newbie
*
Posts: 3


View Profile Email
« on: November 15, 2007, 03:54:45 PM »
Hi,

I am testing joomla Bibtex ... and it works well.
But i don't understand how to configure correctly the component.

In fact, I think there is a bug or a security problem.
You can edit any bibliography database by adding ... index.php?option=com_jombib&task=add even if you are not login. So in fact it would be possible to edit the database of the demo.

You can avoid this problem by making a link in a menu with index.php?option=com_jombib&task=add and restrict the menu element to frontend users. Nevertheless, in this case, it's not possible to see references on pages 2,3,4,.....

Can anyone help me please ?

PS: sorry for my bad english
Logged
tyuser
Newbie
*
Posts: 3


View Profile Email
« Reply #1 on: November 16, 2007, 01:11:48 AM »
I think I have a fix to avoid direct access to the addBib function.

in jommbib.php
....
case 'add':
if(! ($acl->acl_check('administration','edit','users',$my->usertype, 'components', 'all' ) | $acl->acl_check('administration','edit','users',$my->usertype, 'components', 'com_joombib' ))) {
mosRedirect( 'index2.php' , _NOT_AUTH );
}
addBib($sets,$catId);
break;
.....

A small search on the web shows that it's possible to edit bibliography whithout be registered... Shocked
Logged
Mark Austin
Administrator
Full Member
*****
Posts: 101



View Profile Email
« Reply #2 on: November 26, 2007, 06:29:54 PM »
Many thanks for spotting this flaw.  I will fix this for the next release.  Please use the fix suggested by tyuser for now.

Mark
Logged
tyuser
Newbie
*
Posts: 3


View Profile Email
« Reply #3 on: November 27, 2007, 05:46:56 PM »
Hi Mark,

Just to say that there is the same problem for the case "Showallbib" in joombib.php.
(Even if you disable the link to download .bib.)
Thanks for the reply.
Your joombib is a very good job.

Tyuser
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.1 | SMF © 2006, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com
© 2009 Everything That I Know About