some preference page tweeks


Advanced search

Message boards : Website : some preference page tweeks

Author Message
Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 8872 - Posted: 23 Dec 2008, 22:56:52 UTC

the page found at

http://burp.boinc.dk/home.php

has a few things I\'d like to suggest be changed. First off is a bug, for some reason in the \'headers\' (Account information, Community etc) preferences is rendered as a link, with the mouse over and blue, with underline.I would also suggest putting a link to links to PM inbox etc here, as I can\'t find them at the moment.

~hope this helps, Istvan.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4483
Credit: 2,094,806
RAC: 0
Message 8878 - Posted: 24 Dec 2008, 22:33:23 UTC - in response to Message 8872.

the page found at

http://burp.boinc.dk/home.php

has a few things I\'d like to suggest be changed. First off is a bug, for some reason in the \'headers\' (Account information, Community etc) preferences is rendered as a link, with the mouse over and blue, with underline.I would also suggest putting a link to links to PM inbox etc here, as I can\'t find them at the moment.

~hope this helps, Istvan.

Noted, thanks!

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 8894 - Posted: 27 Dec 2008, 21:10:49 UTC

actually where is the inbox page? I sent you a PM janus, and I can\'t seem to find my inbox to see if there is a reply...

PovAddict
Avatar
Send message
Joined: 25 Apr 05
Posts: 347
Credit: 4,618
RAC: 0
Message 8928 - Posted: 29 Dec 2008, 13:30:17 UTC - in response to Message 8894.

actually where is the inbox page? I sent you a PM janus, and I can\'t seem to find my inbox to see if there is a reply...

How did you send the PM? I thought Janus removed anything related to PMs from this project.
____________

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 8929 - Posted: 29 Dec 2008, 13:48:02 UTC

On his account page there is a link call \'send private message\'.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4483
Credit: 2,094,806
RAC: 0
Message 8936 - Posted: 29 Dec 2008, 16:03:26 UTC

PMs are somewhat disabled at the moment.

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 8940 - Posted: 29 Dec 2008, 16:28:44 UTC

ok, so then I shouldn\'t use that link? I could ask in a thread but it is relatively un-related.

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 9102 - Posted: 18 Jan 2009, 23:29:08 UTC
Last modified: 18 Jan 2009, 23:32:38 UTC

well now I have found a posssible security flaw. I could go ahead and test it with permission, it will not break the site. I don\'t think it should be posted on the boards just in case, so what should I do?

[edit:] If it give a hint, I can tell you that session 924 will take 17.44 seconds on my machine - tho that might not help you... just trying to find a discrete way to let you know.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4483
Credit: 2,094,806
RAC: 0
Message 9106 - Posted: 19 Jan 2009, 21:01:23 UTC - in response to Message 9102.
Last modified: 19 Jan 2009, 21:05:36 UTC

Thanks for the note, there\'s only two ways to get that information and one of them indeed had a security flaw. Can you confirm that the hole is no longer there so that I can reveal the issue?

May I ask you how you found it? Just randomly typing in URLs?
In the future, please post security flaws to the contact email found at the link at the bottom of every page.

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 9107 - Posted: 19 Jan 2009, 22:28:44 UTC

indeed it is fixed! I found it because I was reading the php files for v2 just for fun, and comparing them to v3. I saw the code for that page, and I typed in the url to see what there was to see. and I didn\'t see what I expected to.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4483
Credit: 2,094,806
RAC: 0
Message 9110 - Posted: 19 Jan 2009, 22:59:33 UTC - in response to Message 9107.

Nice work then!

The problem was related to a user identity check made on the session administration page. The check was put there to make sure that only the project admin could view/accept/reject sessions. Unfortunately the check had a semantic typo:

if ([b]![/b]$user->id==1) error_page(\"You must be the administrator (1) of this project to access this page!\");

You would think that this means \"If the id of the user is not equal to 1 then abort\". But in fact it doesn\'t mean anything (and hence let everyone through). The correct code is (notice the moved \"!\"):
if ($user->id!=1) error_page(\"You must be the administrator (1) of this project to access this page!\");


In BURPv.3 the check is done using an entirely different system:
if (!$user->prefs->privilege(S_ADMIN)) error_page(\"You must be an administrator of this project to access this page!\");

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 9111 - Posted: 19 Jan 2009, 23:07:17 UTC

I did a quick search, and found no other instances of this mistake.

is the code change to allow for more than one admin/moderator?

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4483
Credit: 2,094,806
RAC: 0
Message 9119 - Posted: 20 Jan 2009, 0:00:58 UTC - in response to Message 9111.

is the code change to allow for more than one admin/moderator?

Yes

Profile Istvan Burbank
Avatar
Send message
Joined: 3 Apr 08
Posts: 312
Credit: 58,920
RAC: 0
Message 9123 - Posted: 20 Jan 2009, 0:18:56 UTC

I was actually thinking about that, when BURP is opened to new users, there might be more work than one person can handle, with coding, reviewing, and moderating. I was thinking you had done yourself in janus ;-)


Post to thread

Message boards : Website : some preference page tweeks