Geeklog Forums

Hi,

I've been chatting with a colleague and he has successfully managed to update Chatterblock messages, even though his user account doesn't permit post edits. He did it as follows :

(note : cb_chatlog.php does no checking at all. Eek!

Doesn't confirm login or who you are, and disabling edits or deletes is done only by not putting the 'Submit' buttons on the page.)


In cb_chatLog.php is says

if (!empty($HTTP_POST_VARS['btn_logedit'])) {
$newmessage = addslashes(COM_checkHTML(COM_checkWords($HTTP_POST_VARS['cb_editmsg'])));
$query = "UPDATE " .$_TABLES['cb_chatterlog']. " SET msgtext='" .$newmessage. "' WHERE id='" .$HTTP_POST_VARS['cb_editrec']. "'";
DB_query($query);
}


So,

wget --http-user=mo --http-passwd=gp --post-data='btn_logedit=1&cb_editrec=245&cb_editmsg=w00t' www.mygeeklogsite.com/chatterblock/cb_log.php

is all it takes to change post number 245
The POST_params aren't exactly as posted above as I can't remember them.

Is this a known issue?

Regards,
cocciag

It's the first I have heard this reported but now that you have posted all the details here, I'm sure some link and comment spammers will now be trying to hit all the sites running chatterblock

I'd suggest you disable it until I get around to reviewing this and releasing a supported fix.

---

Geeklog components by PortalParts -- www.portalparts.com

The script has a security test at the top of the script and in order for this hack attempt to work, you have to have annoymous access open to the chatterlog and enabled "non-admin" access.

I do agree that addtional tests can be added so that non-admin access can be left "enabled" to view the chatterlog and only if you have admin rights will you be able to delete posts.

---

Geeklog components by PortalParts -- www.portalparts.com

Version 3.0.1 has been released and updated as the plugin download on this site and www.portalparts.com

It's available here in the downloads area here

Changes:

• Added additional security to the chatterblock log admin "cb_chatterlog.php" to verify user has correct permissions to edit or delete posts. Script had security to verify you had access but not for every record if you were posting a edit or delete.
  
• Added plugin function to return code version to the plugin editor
  
• Added plugin update function - which can be called from the plugin editor

This may be the first plugin to use these two new plugin update/version functions. I added the new API's at GL 1.3.11. They allow a plugin to report to the plugin editor what version of code is in place (functions.inc and config.php). And if the code version is newer then the intalled (registered) version, then you will see an update option when viewing the plugin details. This option only appears if the code version is greater then installed version. In this case, doing the update will update the registered version information in the plugins table only since there are no other database changes.

---

Geeklog components by PortalParts -- www.portalparts.com

I get the following error when enabling user function: enablepop-ups yes

1064: You have an error in your SQL syntax near ' newest_first=1 WHERE uid=10' at line 1. SQL in question: UPDATE gl_cb_userprefs SET history=86400,mode='static',static_lines=6, scroll_height=250, refresh_rate=300000,log_lines=20, popup_allowed=, newest_first=1 WHERE uid=10

Has anyone else had this problem? Install was successful, everything else seems to work. Any suggestions?

Regards

Kev

---

Live everyday as if it was your last!

I'm not able to duplicate this.
Tested as admin and normal user. Setting the option or not.
Change in setting was retained each time.

Is this a new install or update?

---

Geeklog components by PortalParts -- www.portalparts.com

Hi Blaine

I deleted the older install, and re-installed the latest version (3.0/1.3.11 downloaded yesterday) as I had not used the older version yet.

Today the problem is gone. Thank goodness for that!
I don't know why it orcurred or why it has gone?

NEW Question: I have to have the following setting for a registered user(non-admin) to access chatterblock, is thit correct?

Enable anonymous access to block: Yes
Enable non-admin access to Chatterlog : Yes

If I only have non-admin access -yes, and anonymous access -no, the block will not be seen by registered users.

Also: Admin deletion function of chattelog can only take place when:

Enable users to delete last post -Yes

Is this correct? Or should admin be able to access this at any time?

Regards

Kev

---

Live everyday as if it was your last!

If you disable annonynous access then you can setup the block to show only for users in a group with the chatterblock.user permission.

Any user with the chatterblock.edit permission has admin level access and should then have full access to edit/delete posts in the chatterlog.

I encourage you to test this out and verify. I really had not looked at the code for this plugin in well over a year and ran it thru multple tests for the 3.0.1 modifications. It appeared to me to pass the access tests correctly but I like to have users test. They always come up with more interesting tests then I can.

---

Geeklog components by PortalParts -- www.portalparts.com

Thanks for that Blaine.

Cheers

Kev

---

Live everyday as if it was your last!