IndyNews is a PhpNuke add-on that allows users to include media files (images, documents and so on) to articles. While I was playing with the module, I've found several problems. 1) function delMediaFile() Anybody is able to delete any media attached to already approved articles. 2) function manageMedia() * Anybody can delete any file owned by the user that runs the php script. * Manipulating the cookie, you can modify the path of the uploaded files, so they can be saved wherever you want (into a directory writable by the process owner) 3) function editMediaDescr() and editMediaTempDescr() Anybody can edit the description of a media attached to an approved or pendent article. Since the file description is showed through the HTML alt="" attribute, and no check is performed on its contents, it is possible to alter totally the layout of an article, so as inserting whatever link, image, javascript code, ans so on... There could be some others bugs, without my knowing, since I've not audited the entire code. I contacted the module's author and he has provided a patch available here: http://www.bergamoblog.it/modules.php?name=Downloads&d_op=getit&lid=4 I'm not responsible of the possible permancence of those bugs even though the new release - I have no time to check it. However, the upgrade is strongly encouraged. Regards, Elisa. -- Elisa Manara http://www.entropika.net Sed Software Consortium info (at) sed-consortium.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 10:20:53 PST