There appears to be a whole in the security or something strange is happening with the Knowledge base. Someone appears to be injecting posts into one of the forums that the permissions are set to admin. Here is what they are injecting as a guest. I have deleted the Test Article from the Knowledge base admin area and also in the forums but they keep reappearing. What makes me believe it is an injection is the IP of the poster is not mine.
[KB] Test Article
Article Name: Test Article
Author: Scott
Description: This is a test article for your KB
Category: Test Category 1
Type: Test Type 1
You must be registered to view this link
Have you had any issues on this site regarding this?
Injection Vulnerability
Subject: Re: Injection Vulnerability
i think that was not an injection
go to ACP >> knowledge base >> configuration and disable the comments
go to ACP >> knowledge base >> configuration and disable the comments
Subject: Re: Injection Vulnerability
Why would you want someone to be able to create a comment in a forum with admin only permissions? or create a comment without a post?
Subject: Re: Injection Vulnerability
when comments are activated, the knowledge base generate a topic for comments to the article in the forum that specified is in the category settings
equal what permissions the forum has
equal what permissions the forum has
Subject: Re: Injection Vulnerability
So you are saying that the knowledge base is basically a random topic generator that displays information you have added into the knowledge base? So it will generate a topic even if you have not added any infomation into the KB?
If that is right, then yea that needs disabled initially.
New Player wrote: [View Post]
So you are saying that the knowledge base is basically a random topic generator that displays information you have added into the knowledge base? So it will generate a topic even if you have not added any infomation into the KB?
If that is right, then yea that needs disabled initially.
Subject: Re: Injection Vulnerability
From what I've read around here, the KB is kinda "iffy." I would just disable the KB.
Subject: Re: Injection Vulnerability
not random
the knowledge base generate a topic for each article (in this case for the test article) in the knowledge base when comments are active.
when you call a article in the kb, the kb check if exist a topic or not for the article you called (assumed comments are active and this is the default attitude)....for the topic poster enter the kb the name of the person who called the article (in this case you)
delete the test category or disbale the comments and you won't have another topic ;)
the original version is a big security hole, yes, but i think MG have fix many or all issues
Scott wrote: [View Post]
not random
the knowledge base generate a topic for each article (in this case for the test article) in the knowledge base when comments are active.
when you call a article in the kb, the kb check if exist a topic or not for the article you called (assumed comments are active and this is the default attitude)....for the topic poster enter the kb the name of the person who called the article (in this case you)
delete the test category or disbale the comments and you won't have another topic ;)
Chaotic wrote: [View Post]
the original version is a big security hole, yes, but i think MG have fix many or all issues
Page 1 of 1
You cannot post new topicsYou cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events
This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Powered by Icy Phoenix based on phpBB
Generation Time: 0.1632s (PHP: 11% SQL: 89%)
SQL queries: 10 - Debug Off - GZIP Enabled