Security? SSI.php, ssi_examples.php visible birthday, age=DOB, ( recent posts)

Started by OCJ, March 25, 2012, 09:34:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

OCJ

March 25, 2012, 09:34:29 AM Last Edit: March 26, 2012, 04:11:29 AM by igirisjin
 I knew there was a problem with a former mod 'Look But No Read' - to show topic subjects but not allow reading.  Recent posts were still showing all details of posts with private data like emails.  I used a recommended fix :
Quote./Sources/Recent.php
Code: (find) [Select]
>
Code: (replace with) [Select]

   is_not_guest();
?>

This stops viewing of recent posts via the url:  site.com/index.php?action=recent (redirects to login)
But it does not stop the ssi script from accessing recent posts as a guest.  :'(
I tried a new alternative mod for displaying board subjects but denying reading but I gave a page full of errors on install.


I knew about the recent posts vulnerability but not this ...

2. ssi_examples.php accesses birthdays (guest can see if a users birthday today or coming soon) and it shows a users age to guests. So easy to get users date of birth.
I set the permissions to deny showing profiles to guests and the calendar is set not to show birthdays. Yet, any guest can see a users birthday if today, and check users age using ssi if their date of birth is entered in their profile.

I cannot see any setting in the profile to deny viewing this data.
Or in Configuration>Features and Options> General | Layout | Signatures | Profile Fields
Or in Core Features > Advanced Profile Fields.
Or in the group permissions.

If this is true then it is possible for guests to get a users complete date of birth. And see that other users have upcoming birthdays - so can easily check later to get DOB. This is quite an important piece of information.

As the ssi_examples.php is installed as default it is a risk. I cant seem to get any result on the smf site (deleted or restricted file permissions?).  But with standard install it seems easily accessable and Ive never seen any warning on smf install to delete it or change the file permissions on it.
Andy

PS
I just checked several smf sites from a 'show case' board and on almost all of them I can access ssi_examples.php and get users birthdays and age= date of birth.
There are a lot of sites out there freely allowing this data to be accessed.

Add to that standard install of ssi_examples.shtml doing the same thing.
And... /SSI.php?ssi_function=todaysBirthdays  (with default install file permissions)

OCJ

#2
March 26, 2012, 03:29:45 AM
With the example files deleted and the file permissions changed on the ssi file it appears to block everything... though Im not experienced with this stuff.

rosewillrnx

#3
April 03, 2014, 08:41:51 AM
Hello igirisjin,
I considered starting a new topic but what I really need is the location of the fix you used to stop the viewing of the recent by url.  There are so many > in the code for recent, I need to know where the code goes, maybe near line? I haven't been able to redirect away and people are getting in through that address to browse only new posts instead of having to look for them or register.

I appreciate your time.

rosewillrnx

#4
April 03, 2014, 09:48:14 AM
For the newbies out there. Protect your recent page from public by adding the previously mentioned code at the very end of the referenced page. Works great.



Thanks folks.
Print
Go Up Pages1
User actions
Advertisement: