OR security hole exposed by new listing search feature.

[the_sandking]

This has been added to 1.1.4. We should release later today.

This is probably not as obvious to some, but a pre-existing security hole has been exposed by adding the simple search/edit features to "listings_edit.php and "edit_my_listings.php".

No matter what agent I happen to be logged-in as, all I need is the listing's ID# and I can edit ANY listing in the DB.

This is fine for the Admin using listings_edit.php but for someone who is an Agent using "edit_my_listings.php", it gives them more power than was probably intended.

This could be especially troublesome for anyone who is using OR as a portal/pay site..

Anyone that intends to continue to use this search feature, I would suggest that you plan to add some sort of security query to the "search" to make sure that the person "searching" (editing) can only "see" (edit) listings they have permissions for..

In the meantime, you should remove the following from "edit_my_listings.php" at or around line 314.. just to "..keep honest people honest"

Code:

echo "<table align=\"center\"><tr><td align=\"center\">Enter the Site ID Number Of the Listing You Want To Edit<form action=\"$config&#91;baseurl&#93;/admin/edit_my_listings.php?edit=$id\" method=\"get\" name=\"idform\"><input name=\"edit\" type=\"text\" id=\"listingID\" size=\"10\">&amp;nbsp;&amp;nbsp;<input type=\"submit\" value=\"EDIT LISTING\" class=\"button\" /></form></td></tr></table><br>";

Removing this does not solve the security problem, it just makes it less obvious to your users/Agents.

Why? because, any Agent (non-admin) can still, just edit the URL, in the browser i.e. "http://www.yourdomain.com/admin/edit_my_listings.php?edit=13437"

and then just change the listing id at the end "13437" to whatever valid listing number they want and bingo, they're editing and possibly deleting listings they don't have privileges for. :shock:

The new search feature did not create the security hole, it just exposed it for me.

[greengiant]

This is incorrect. The edit_my_listing page checks the userID of the listing. Entering a listing that you dont own results in "You do not have the required privledges to access this area!"

[the_sandking]

This is incorrect. The edit_my_listing page checks the userID of the listing. Entering a listing that you dont own results in "You do not have the required privledges to access this area!"

Hmmm... Well, for my V1.13 of OR my previous post stands, But with your DEMO version that is online, the Security is working correctly, which is very good news..

I discovered this "problem" while attempting to manually upgrade my V1.13. to V1.14 one file at a time.. Looks like I just have to overwrite my version of this file and attempt to replace my display mods manually....

Did you make changes to edit_my_listings.php other than to add the search option?


Note: when I "Log Out" from the DEMO here, it doesn't seem to actually log me out, because I can still access the admin menu as the user that I was originally logged-in as. I had to start a new browser to change users.

[greengiant]

No that is the only chnage i made to the edit_my_listings.php file..

I will look look at the demo and see if i can verify and fix that logout bug.

[the_sandking]

No that is the only chnage i made to the edit_my_listings.php file..

I will look look at the demo and see if i can verify and fix that logout bug.

Replacing the file, and re-adding my code changes works.. It is very strange, because my mods only affect the display....

Maybe under the heavy load, the MySQL server is getting funky.. I've had it lock me out of OR's admin section before, and then let me in again after restarting only the MySQL daemon...

Thanks Ryan!