Security Problem with Comments - Need Fix Asap

Anstey Stephan 305 posts	on Feb. 4 2008 I have commented out the code on search.php that searches the comments until this is resolved. If you want me to uncomment and show you my results, let me know. verified that search was done logged completely out verified that comments shown were in associate thread The concern is that we often use the comments for sensitive private data.
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts	on Feb. 7 2008 Ok, I will do the same, and comment out the released code until a solution is find.
Dobliufrom L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 216 posts	on Feb. 10 2008 Hello anteyER, it's a major bug in YACS. Several months ago, i have posted a solution on French forum, due i think, a missing of time it was not reused in news releases. Code below in function search file comments.php; it is running with mysql version = or > v4.1, YACS 7.12 or 8.1, Click to slide /** * search for some keywords in all comments * * @param the search string * @param int the offset from the start of the list; usually, 0 or 1 * @param int the number of items to display * @param string the list variant, if any * @return NULL on error, else an ordered array with $url => ($prefix, $label, $suffix, $icon) * * @see search.php * @see services/search.php / function &search($pattern, $offset=0, $count=30, $variant='search') { global $context; // match $match = ''; $words = preg_split('/\s/', $pattern); while($word = each($words)) { if($match) $match .= ' AND '; $match .= "MATCH(description) AGAINST('".SQL::escape($word['value'])."')"; } // the list of comments /$query = "SELECT * FROM ".SQL::table_name('comments')." AS comments " ." WHERE ".$match ." ORDER BY comments.edit_date DESC" ." LIMIT ".$offset.','.$count; / // ***************** search from Dobliu **************************** $query = "SELECT p1.* FROM (SELECT * FROM ".SQL::table_name('comments')." AS comments " ." WHERE ".$match ." ORDER BY comments.edit_date DESC) AS p1,".SQL::table_name('articles') . " AS articles,".SQL::table_name('sections') ." AS sections WHERE p1.anchor_id = articles.id AND sections.id = articles.anchor_id"; // limit the scope of the request $query .= " AND (sections.active='Y'"; // add restricted items to members, or if teasers are allowed if(Surfer::is_logged() \|\| !isset($context['users_without_teasers'])\|\|($context['users_without_teasers'] != 'Y')) $query .= " OR sections.active='R'"; // add associate if(Surfer::is_empowered('S')) $query .= " OR sections.active='N'"; // include managed sections if(count($my_sections = Surfer::assigned_sections())) $query .= " OR sections.id LIKE ".join(" OR sections.id LIKE ", $my_sections); $query .= ") LIMIT ".$offset.','.$count; // ****************** search from Dobliu **************************** $output =& Comments::list_selected(SQL::query($query), $variant); return $output; }
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts	inspired from dobliu on Feb. 10 2008 Dobliu: What is the minimum version of MySQL that supports combined SELECT statements such as the one you propose ?
Dobliufrom L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 216 posts	on Feb. 10 2008 Bernard: "subselect" in Mysql 4.1, better compliance with SQL specifications. Below 4.1, only `INSERT ... SELECT ...` and `REPLACE ... SELECT ...`, but i have not checked . I use mysql 5; in others case using JOIN instruction can be a solution.
Dobliufrom L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 216 posts	on Mar. 7 2008 hello all where is the search comment patch ? Bernard, do you have a feeback on the suggested fix ? is it in version 8.2 ? bye ...
Anstey Stephan 305 posts	on Mar. 7 2008 I am using mysql MySQL 5.0.24 are there any particular settings that might be wrong in my version?
Anstey Stephan 305 posts	inspired from ansteyER on Mar. 7 2008 So i should find comment.php and replace the function there with this code?
Dobliufrom L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 216 posts	on Mar. 7 2008 hello ansteyER : do you have opened the folder in above comment : "Hello anteyER, it's a major bug in YACS. Several months ago, i have posted a solution on French forum, due i think, a missing of time it was not reused in news releases. Code below in function search file comments.php; it is running with mysql version = or > v4.1, YACS 7.12 or 8.1, Cliquer pour plier/déplier "
Bernard Paquesfrom nearby-an-airport Associate, 8408 posts	on June 20 2008 Dobliu, at the moment the core code of yacs does not allow for search requests in comments, nor in links, to preserve confidentiality. If you wish, please provide an updated version of `search.php` and of related scripts, that could be integrated in July release.
Dobliufrom L'Île de Pâques (en espagnol Isla de Pascua, en rapanui Rapa Nui) 216 posts	on June 22 2008 Dear YACSER'S, Find attached this latest update of comments.php file release 8.1. Don't forget to activate the search in comments (search.php) i am very busy during last days, and for the 8.5 release, i have not make a revision. Bye ... comments.zip

Security Problem with Comments - Need Fix Asap

Files

Comments