|
»
»
« Return to Thread: Re: State of Digibug module
Re: State of Digibug module
by Chris F-2
::
Rate this Message:
Just an idea for this. Can a random string or something unique to the server for that image be added to this URL.
That way the full image URL can be passed to a certain function, however a users/system cannot "guess" any other URLs of other images.
The only way you can subvert the full permission of an image is by knowing basically the URL plus the 'key' to that individual image.
So the url would be something similar to:
http://example.com/gallery3/print_photo/35/12390239bbf32f
And the random keys would not be sequential or guessable.
That way the full image URL can be passed to a certain function, however a users/system cannot "guess" any other URLs of other images.
The only way you can subvert the full permission of an image is by knowing basically the URL plus the 'key' to that individual image.
So the url would be something similar to:
http://example.com/gallery3/print_photo/35/12390239bbf32f
And the random keys would not be sequential or guessable.
Bharat Mediratta wrote:Closure: I've finished making updates to Digibug and have enforced
security. Tim and I are now disagreeing about the functionality of the
print module.
Tim's point is that you should be able to print photos without letting
the user see the full size. My point is that we should not have a
module that subverts our view_full permission. Current state of the
world is that Tim is going to try to figure out a way to get the
functionality we want without sacrificing security.
-Bharat
Bharat Mediratta wrote:
> Tim Almdal wrote:
>> Further to: Don't know about you, but, if i try
>> http://example.com/gallery3/print_photo/35 I get a forbidden exception
>> and if I go put the csrf value on, I end up redirecting to the digibug
>> shopping cart, but no link to the full size is exposed. Maybe, I'm a
>> little dense tonight, but I'm not sure where the security concern is.
>
> You're sending a <form> back to the browser, then telling it to submit
> the form. But the form has the print_proxy url in it! So try
> intercepting the form. You can do this by snooping network traffic,
> modifying your local dns entry for digibug.com, disabling Javascript,
> using Firebug, curl, wget, or lots of other ways. When I do this, I see:
>
> form action="http://www.digibug.com/dapi/order.php" method="post">
> <input type="hidden" name="digibug_api_version" value="100" />
> ...
> <input type="hidden" name="image_1"
> value="http://example.com/index.php/digibug/print_proxy/73db0f04da7cdf319c68ee11c5526a54"
> />
> </form>
>
> Now I've got the url to a full size image for which I have no
> permissions to see. :-(
>
> I'm doing a pass over the Digibug module now and will fix this up along
> with some other stuff (the XSS wasn't fully closed, I'm going to
> simplify the UI, etc).
>
> -Bharat
>
> ------------------------------------------------------------------------------
> __[ g a l l e r y - d e v e l ]_________________________
>
> [ list info/archive --> http://gallery.sf.net/lists.php ]
> [ gallery info/FAQ/download --> http://gallery.sf.net ]
>
------------------------------------------------------------------------------
__[ g a l l e r y - d e v e l ]_________________________
[ list info/archive --> http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download --> http://gallery.sf.net ]
« Return to Thread: Re: State of Digibug module
| Free embeddable forum powered by Nabble | Forum Help |
