0 Members and 1 Guest are viewing this topic.

*

staan

  • *
  • 34
  • Stan, 29 Yo - France
  • osDate Version: osDateEvo v1.3
[FIXED] - [SECURITY BREACH] Blog edition
« on: March 14, 2019, 04:00:48 PM »
Hello,

Any user can edit any blog post on all OsDate Evo version :

When you watch a blog post, you can edit URL :

https://www.OSDATEWEBSITE.com/viewblog.php?id=7

change viewblog.php?id=7 with editblog.php?id=7 and you are on the blog editor.

I'll probably work on it soon.

« Last Edit: March 15, 2019, 11:01:15 AM by CBG »

*

CBG

  • *****
  • 971
    • osDate Forum
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] Blog edition
« Reply #1 on: March 14, 2019, 04:58:49 PM »
Hi,

Give this editblog.php a try have zip it up, it is a quick fix by redirecting them to bloglist.php
I have marked what I added by // CBG Start and // CBG End
Regards,
CBG (Garry)
PHP: 5.x and 7.x | MySQL: 10.1.31-MariaDB-cll-lve

*

staan

  • *
  • 34
  • Stan, 29 Yo - France
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] Blog edition
« Reply #2 on: March 14, 2019, 05:52:38 PM »
Hello, thanks, but something doesnt works, user cant edit his own blog now :(

*

CBG

  • *****
  • 971
    • osDate Forum
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] Blog edition
« Reply #3 on: March 14, 2019, 06:51:22 PM »
Hi,

Can you give this one a try please, I have attached it editblog2.zip
Regards,
CBG (Garry)
PHP: 5.x and 7.x | MySQL: 10.1.31-MariaDB-cll-lve

*

Pharg

  • *****
  • 3,240
    • OsDateFourm
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] Blog edition
« Reply #4 on: March 14, 2019, 07:15:22 PM »
Hi CBG,

That update is working fine, thanks for the security fix  ;)
Regards,
Pharg ( Phill )

Don't Personal Message me unless it's about a sensitive matter!!

REMEMBER TO ALWAYS BACKUP BEFORE MAKING ANY CHANGES!!

osDateEvo v1.3 | PHP: 5.3.42 & PHP: 7.2 | MySQL: 5.5.35

*

staan

  • *
  • 34
  • Stan, 29 Yo - France
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] Blog edition
« Reply #5 on: March 15, 2019, 10:44:51 AM »
Thanks, working well :)

*

CBG

  • *****
  • 971
    • osDate Forum
  • osDate Version: osDateEvo v1.3
Re: [SECURITY BREACH] Blog edition
« Reply #6 on: March 15, 2019, 10:55:32 AM »
Hi,

Great stuff I ended up running a database sql query to make sure the blog story userid was the same as the session userid.
If it not it redirects them.
Regards,
CBG (Garry)
PHP: 5.x and 7.x | MySQL: 10.1.31-MariaDB-cll-lve