This is the community forum. For a developer response use the Client Area.
Follow us on Facebook, Twitter and YouTube!

Security issue and SESSION variables
#1

Hello,

I am exploring your framework and it shows that you have put a lot of work into it. Thank you for making it available Open Source.

However there are some security issues.

First, it is possible for anyone who knows the name and email of a user to spoof a comment by changing the value (even hidden or disabled) in browser dev tools, and the name and email in the POST will be used regardless of what was set for $cmtx_name and $cmtx_email in the php backend.

To overcome this i am trying to access SESSION values to check against in the submit() function in /frontend/controller/main/form.php but the SESSION is not available. It is available in the index() function when page loads, but not through ajax in the submit() function.

Am i missing something here ? What do you recommend ?

Thank you.
Reply
#2

Hi Zey,

Thanks for pointing this out. I agree a session based solution would be best.

The session should be available within the submit() method. It starts it here:

https://github.com/commentics/commentics...ex.php#L15

In the submit() method what output do you get for this:

PHP Code:
<?php 
var_dump
($this->session->data);

Have you completed the interview?
Reply
#3

Hello,

The output for this var_dump is:

- for regular (logged-in) users:
array(0) {} 

- for admin:
array(6) {
  ["cmtx_admin_id"]=>
  string(1) "X"
  ["cmtx_username"]=>
  string(12) "X"
  ["cmtx_csrf_key"]=>
  string(20) "X"
  ["cmtx_user_agent"]=>
  string(114) "X"
  ["cmtx_user_lang"]=>
  string(23) "X"
  ["cmtx_user_ip"]=>
  string(15) "X"
}

How and where should $this->session->data  be populated with SESSION variables ?
Reply
#4

Okay let me run some tests later today. I'll get back to you.

Have you completed the interview?
Reply
#5

I've just tried this myself by adding these two lines in the index() method:

PHP Code:
<?php 
$this
->session->data['cmtx_name_1'] = $this->user->getLogin('name');
$_SESSION['cmtx_name_2'] = $this->user->getLogin('name');

And they're both in the session in the submit() method.

1. Do you have session_start(); in the page you're integrating Commentics into?
2. Do you have the question captcha enabled in Settings -> Layout -> Form? That adds some session data so if that's not adding it then it'd suggest it's a wider problem.
3. In the /frontend/index.php file try removing the ini_set lines in case they're at fault, and var_dump straight after the session_start() line.

Have you completed the interview?
Reply
#6

Hello,

I finally got it working by including my own session management script at the top of frontend/index.php
The SESSION variables are already set there and i can then access them in the submit() function.

Thank you for the hints and quick reply.
Reply


Possibly Related Threads…
Thread / Author Replies Views Last Post

Forum Jump:


Users browsing this thread: 5 Guest(s)