Injection Vulnerability »  Show posts from    to     

Icy Phoenix


Old Support Topics - Injection Vulnerability



Scott [ Thu 16 Oct, 2008 07:33 ]
Post subject: Injection Vulnerability
There appears to be a whole in the security or something strange is happening with the Knowledge base. Someone appears to be injecting posts into one of the forums that the permissions are set to admin. Here is what they are injecting as a guest. I have deleted the Test Article from the Knowledge base admin area and also in the forums but they keep reappearing. What makes me believe it is an injection is the IP of the poster is not mine.

[KB] Test Article

Article Name: Test Article
Author: Scott
Description: This is a test article for your KB

Category: Test Category 1
Type: Test Type 1


You must be registered to view this link



Have you had any issues on this site regarding this?


New Player [ Thu 16 Oct, 2008 11:19 ]
Post subject: Re: Injection Vulnerability
i think that was not an injection

go to acp >> knowledge base >> configuration and disable the comments


Scott [ Thu 16 Oct, 2008 16:25 ]
Post subject: Re: Injection Vulnerability
Why would you want someone to be able to create a comment in a forum with admin only permissions? or create a comment without a post?


New Player [ Thu 16 Oct, 2008 16:42 ]
Post subject: Re: Injection Vulnerability
when comments are activated, the knowledge base generate a topic for comments to the article in the forum that specified is in the category settings
equal what permissions the forum has


gorsel [ Thu 16 Oct, 2008 17:43 ]
Post subject: Re: Injection Vulnerability
Scott wrote: [View Post]
Why would you want someone to be able to create a comment in a forum with admin only permissions? or create a comment without a post?
cc


Scott [ Thu 16 Oct, 2008 18:42 ]
Post subject: Re: Injection Vulnerability
New Player wrote: [View Post]
when comments are activated, the knowledge base generate a topic for comments to the article in the forum that specified is in the category settings
equal what permissions the forum has


So you are saying that the knowledge base is basically a random topic generator that displays information you have added into the knowledge base? So it will generate a topic even if you have not added any infomation into the KB?


If that is right, then yea that needs disabled initially.


Chaotic [ Thu 16 Oct, 2008 19:55 ]
Post subject: Re: Injection Vulnerability
From what I've read around here, the KB is kinda "iffy." I would just disable the KB.


New Player [ Fri 17 Oct, 2008 10:28 ]
Post subject: Re: Injection Vulnerability
Scott wrote: [View Post]
New Player wrote: [View Post]
when comments are activated, the knowledge base generate a topic for comments to the article in the forum that specified is in the category settings
equal what permissions the forum has


So you are saying that the knowledge base is basically a random topic generator that displays information you have added into the knowledge base? So it will generate a topic even if you have not added any infomation into the KB?


If that is right, then yea that needs disabled initially.

not random
the knowledge base generate a topic for each article (in this case for the test article) in the knowledge base when comments are active.
when you call a article in the kb, the kb check if exist a topic or not for the article you called (assumed comments are active and this is the default attitude)....for the topic poster enter the kb the name of the person who called the article (in this case you)

delete the test category or disbale the comments and you won't have another topic

Chaotic wrote: [View Post]
From what I've read around here, the KB is kinda "iffy." I would just disable the KB.


the original version is a big security hole, yes, but i think mg have fix many or all issues




Powered by Icy Phoenix