Advertisement:

Author Topic: Security? SSI.php, ssi_examples.php visible birthday, age=DOB, ( recent posts)  (Read 7465 times)

Offline OCJ

  • Full Member
  • ***
  • Posts: 492
  • Gender: Male
 I knew there was a problem with a former mod 'Look But No Read' - to show topic subjects but not allow reading.  Recent posts were still showing all details of posts with private data like emails.  I used a recommended fix :
Quote
./Sources/Recent.php
Code: (find) [Select]
>
Code: (replace with) [Select]

   is_not_guest();
?>

This stops viewing of recent posts via the url:  site.com/index.php?action=recent (redirects to login)
But it does not stop the ssi script from accessing recent posts as a guest.  :'(
I tried a new alternative mod for displaying board subjects but denying reading but I gave a page full of errors on install.


I knew about the recent posts vulnerability but not this ...

2. ssi_examples.php accesses birthdays (guest can see if a users birthday today or coming soon) and it shows a users age to guests. So easy to get users date of birth.
I set the permissions to deny showing profiles to guests and the calendar is set not to show birthdays. Yet, any guest can see a users birthday if today, and check users age using ssi if their date of birth is entered in their profile.

I cannot see any setting in the profile to deny viewing this data.
Or in Configuration>Features and Options> General | Layout | Signatures | Profile Fields
Or in Core Features > Advanced Profile Fields.
Or in the group permissions.

If this is true then it is possible for guests to get a users complete date of birth. And see that other users have upcoming birthdays - so can easily check later to get DOB. This is quite an important piece of information.

As the ssi_examples.php is installed as default it is a risk. I cant seem to get any result on the smf site (deleted or restricted file permissions?).  But with standard install it seems easily accessable and Ive never seen any warning on smf install to delete it or change the file permissions on it.
Andy

PS
I just checked several smf sites from a 'show case' board and on almost all of them I can access ssi_examples.php and get users birthdays and age= date of birth.
There are a lot of sites out there freely allowing this data to be accessed.


Add to that standard install of ssi_examples.shtml doing the same thing.
And... /SSI.php?ssi_function=todaysBirthdays  (with default install file permissions)

« Last Edit: March 26, 2012, 04:11:29 AM by igirisjin »

kat

  • Guest
I've given the devs a wave, mate.


Offline OCJ

  • Full Member
  • ***
  • Posts: 492
  • Gender: Male
With the example files deleted and the file permissions changed on the ssi file it appears to block everything... though Im not experienced with this stuff.

Offline rosewillrnx

  • Semi-Newbie
  • *
  • Posts: 34
Hello igirisjin,
 I considered starting a new topic but what I really need is the location of the fix you used to stop the viewing of the recent by url.  There are so many > in the code for recent, I need to know where the code goes, maybe near line? I haven't been able to redirect away and people are getting in through that address to browse only new posts instead of having to look for them or register.

I appreciate your time.

Offline rosewillrnx

  • Semi-Newbie
  • *
  • Posts: 34
For the newbies out there. Protect your recent page from public by adding the previously mentioned code at the very end of the referenced page. Works great.



Thanks folks.