1. Commentics Forum
  2. General
  3. Security
This is the community forum. For a developer response use the Client Area.
Follow us on Facebook, Twitter and YouTube!

Security issue and SESSION variables
Zey
New
*
Posts: 4
Threads: 1
Joined: Apr 2019
#1

18-Apr-2019, 06:31 AM
Hello,

I am exploring your framework and it shows that you have put a lot of work into it. Thank you for making it available Open Source.

However there are some security issues.

First, it is possible for anyone who knows the name and email of a user to spoof a comment by changing the value (even hidden or disabled) in browser dev tools, and the name and email in the POST will be used regardless of what was set for $cmtx_name and $cmtx_email in the php backend.

To overcome this i am trying to access SESSION values to check against in the submit() function in /frontend/controller/main/form.php but the SESSION is not available. It is available in the index() function when page loads, but not through ajax in the submit() function.

Am i missing something here ? What do you recommend ?

Thank you.
Find
Reply
Steven
Administrator
*****
Posts: 2,894
Threads: 59
Joined: Jun 2010
#2

18-Apr-2019, 08:57 AM
Hi Zey,

Thanks for pointing this out. I agree a session based solution would be best.

The session should be available within the submit() method. It starts it here:

https://github.com/commentics/commentics...ex.php#L15

In the submit() method what output do you get for this:

PHP Code:
<?php 

var_dump($this->session->data);
Have you completed the interview?
Find
Reply
Zey
New
*
Posts: 4
Threads: 1
Joined: Apr 2019
#3

18-Apr-2019, 09:10 AM
Hello,

The output for this var_dump is:

- for regular (logged-in) users:
array(0) {} 

- for admin:
array(6) {
  ["cmtx_admin_id"]=>
  string(1) "X"
  ["cmtx_username"]=>
  string(12) "X"
  ["cmtx_csrf_key"]=>
  string(20) "X"
  ["cmtx_user_agent"]=>
  string(114) "X"
  ["cmtx_user_lang"]=>
  string(23) "X"
  ["cmtx_user_ip"]=>
  string(15) "X"
}

How and where should $this->session->data  be populated with SESSION variables ?
Find
Reply
Steven
Administrator
*****
Posts: 2,894
Threads: 59
Joined: Jun 2010
#4

18-Apr-2019, 03:05 PM
Okay let me run some tests later today. I'll get back to you.
Have you completed the interview?
Find
Reply
Steven
Administrator
*****
Posts: 2,894
Threads: 59
Joined: Jun 2010
#5

18-Apr-2019, 07:28 PM
I've just tried this myself by adding these two lines in the index() method:

PHP Code:
<?php 

$this->session->data['cmtx_name_1'] = $this->user->getLogin('name');

$_SESSION['cmtx_name_2'] = $this->user->getLogin('name');

And they're both in the session in the submit() method.

1. Do you have session_start(); in the page you're integrating Commentics into?
2. Do you have the question captcha enabled in Settings -> Layout -> Form? That adds some session data so if that's not adding it then it'd suggest it's a wider problem.
3. In the /frontend/index.php file try removing the ini_set lines in case they're at fault, and var_dump straight after the session_start() line.
Have you completed the interview?
Find
Reply
Zey
New
*
Posts: 4
Threads: 1
Joined: Apr 2019
#6

18-Apr-2019, 09:25 PM
Hello,

I finally got it working by including my own session management script at the top of frontend/index.php
The SESSION variables are already set there and i can then access them in the submit() function.

Thank you for the hints and quick reply.
Find
Reply
« Next Oldest | Next Newest »


Possibly Related Threads…
Thread / Author Replies Views Last Post
The form is missing a security token. Please try again.
uran235
Last Post by Steven
02-Jan-2018, 08:57 PM
Form submitting problem - missing a security token
sanzuu
Last Post by sanzuu
21-Mar-2017, 12:25 PM
Frequent Incorrect Security Key Messages
dhaughey
Last Post by dhaughey
28-May-2014, 05:12 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. Commentics Forum
  2. General
  3. Security