Voitto openmicroblogger → 0.6

Comments and changes to this ticket

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 03:52 PM

  • State changed from “new” to “open”

  yes can see the admin area but not make changes

  omb has a very good (though still new and buggy) centralized security model

  but yes, agreed, should not be able to see it at all

• 

  Johannes Schirge May 18th, 2009 @ 10:25 PM

  Hmm...I just edited your first categorie on openmicroblogger.com/admin

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 10:26 PM

  :-) ok I check it out right now

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 10:42 PM

  insert these 4 lines at line 1508 of /db/library/dbscript/_functions.php

  if ( !( in_array( $request->action, $datamodel->allowed_methods, true )))

  $action = 'get';
  

  if (!($action == 'get'))

  return false;
  

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 10:43 PM

  the public_resource() test is supposed to return true only for GET on a resource

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 10:44 PM

  if you want to push the fix I will pull it from your git

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 10:48 PM

  should have an $action = $request->action; before that too

  $action = $request->action;

  if ( !( in_array( $action, $datamodel->allowed_methods, true )))

  $action = 'get';
  

  if (!($action == 'get'))

  return false;
  

• 

  Johannes Schirge May 18th, 2009 @ 10:53 PM

  Wow, that was really fast! :)
  Thank you, it works!

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 10:56 PM

  glad you like it! :-)

  I can push it if you don't want to

• 

  Johannes Schirge May 18th, 2009 @ 10:59 PM

  Oh, you can't visit the mainpage anymore without being logged in.

  If you fix that, you can push it :P

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 11:03 PM

  fixed like this

  I will push

  $action = $request->action;

  if ( !( in_array( $action, $datamodel->allowed_methods, true )))

  $action = 'get';
  

  if (!($action == 'get' || $action == 'get'))

  return false;
  

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 11:04 PM

  oops hold on

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 11:05 PM

  are you sure? did you use the 5-line version? I can see home page not logged in

• 

  Brian Jesse Hendrickson May 18th, 2009 @ 11:05 PM

  $action = $request->action;

  if ( !( in_array( $action, $datamodel->allowed_methods, true )))

  $action = 'get';

  if (!($action == 'get'))

  return false;

• 

  Johannes Schirge May 18th, 2009 @ 11:44 PM

  Okay, didn't get the 5 line version. now it works with your last post. Thanks! :)

• 

  Brian Jesse Hendrickson May 19th, 2009 @ 12:05 AM

  hi Johannes,

  I just committed all of your fixes, and the security fix too

  http://github.com/voitto/openmicroblogger/commits/master

  also posted a new dbscript.net/omb.zip

  thanks again for your help -brian

• 

  Brian Jesse Hendrickson May 19th, 2009 @ 12:05 AM

  • State changed from “open” to “resolved”

• You flagged this item as spam.
  

  Scot May 20th, 2009 @ 08:12 AM

  Playing around in Identi.ca I noticed an old test account that is still listed by another Identi.ca user under "subscribers.

  While the link showed an old Sportstwit profile url (http://www.sportstwit.com/admin), it actually brought me to: http://openmicroblogger.com/admin.

  This can't be good,

• 

  Brian Jesse Hendrickson May 22nd, 2009 @ 12:24 AM

  • State changed from “resolved” to “open”
• 

  Brian Jesse Hendrickson June 17th, 2009 @ 05:40 PM

  Hi Scot,

  Could you do me a favor and look at the contents of the .htaccess file at SportsTwit.com

  My guess is that the 3rd line says "openmicroblogger.com"

  Thanks a lot

  -- Brian

• 

  Johannes Schirge June 28th, 2009 @ 06:24 AM

  • Tag changed from “admin-area, security-issue” to “medium-priority”

  Is this still a problem?

• 

  Johannes Schirge July 20th, 2009 @ 05:56 AM

  • State changed from “open” to “resolved”

  Okay, no one instead of the admin is able to access the admin menu anymore. Good thing :-)