Tim Almdal wrote:
> Further to: Don't know about you, but, if i try
>
http://example.com/gallery3/print_photo/35 I get a forbidden exception
> and if I go put the csrf value on, I end up redirecting to the digibug
> shopping cart, but no link to the full size is exposed. Maybe, I'm a
> little dense tonight, but I'm not sure where the security concern is.
You're sending a <form> back to the browser, then telling it to submit
the form. But the form has the print_proxy url in it! So try
intercepting the form. You can do this by snooping network traffic,
modifying your local dns entry for digibug.com, disabling Javascript,
using Firebug, curl, wget, or lots of other ways. When I do this, I see:
form action="
http://www.digibug.com/dapi/order.php" method="post">
<input type="hidden" name="digibug_api_version" value="100" />
...
<input type="hidden" name="image_1"
value="
http://example.com/index.php/digibug/print_proxy/73db0f04da7cdf319c68ee11c5526a54"
/>
</form>
Now I've got the url to a full size image for which I have no
permissions to see. :-(
I'm doing a pass over the Digibug module now and will fix this up along
with some other stuff (the XSS wasn't fully closed, I'm going to
simplify the UI, etc).
-Bharat
------------------------------------------------------------------------------
__[ g a l l e r y - d e v e l ]_________________________
[ list info/archive -->
http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download -->
http://gallery.sf.net ]
