Re: State of Digibug module

> Tim Almdal wrote:
>> Further to: Don't know about you, but, if i try
>> http://example.com/gallery3/print_photo/35 I get a forbidden exception
>> and if I go put the csrf value on, I end up redirecting to the digibug
>> shopping cart, but no link to the full size is exposed.  Maybe, I'm a
>> little dense tonight, but I'm not sure where the security concern is.
>
> You're sending a <form> back to the browser, then telling it to submit
> the form.  But the form has the print_proxy url in it!  So try
> intercepting the form.  You can do this by snooping network traffic,
> modifying your local dns entry for digibug.com, disabling Javascript,
> using Firebug, curl, wget, or lots of other ways.  When I do this, I see:
>
> form action="http://www.digibug.com/dapi/order.php" method="post">
>     <input type="hidden" name="digibug_api_version" value="100"  />
> ...
> <input type="hidden" name="image_1"
> value="http://example.com/index.php/digibug/print_proxy/73db0f04da7cdf319c68ee11c5526a54"
>  />
>     </form>
>
> Now I've got the url to a full size image for which I have no
> permissions to see.  :-(
>
> I'm doing a pass over the Digibug module now and will fix this up along
> with some other stuff (the XSS wasn't fully closed, I'm going to
> simplify the UI, etc).
>
> -Bharat
>
> ------------------------------------------------------------------------------
> __[ g a l l e r y - d e v e l ]_________________________
>
> [ list info/archive --> http://gallery.sf.net/lists.php ]
> [ gallery info/FAQ/download --> http://gallery.sf.net ]
>