Ticket #83 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

[PATCH] Security Hole in examples/blog

Reported by: novaa Owned by: why
Priority: minor Milestone: Camping 1.5
Component: examples/blog Version: 1.5
Keywords: Cc:

Description

examples/blog contains a bug where you can edit posts without beeing logged in. I attached a patch that closes this hole.

The patch also adds this check to add also if it is not possible to add unauthorized posts there because of a AR check. Also this fixes something that is not critical but can produce bugs: the 'view' view refers to post.id but IMO it should refer to @post.id.

Here is how to 'exploit' it: 

require 'net/http'
require 'uri'

# assume you run the blog like this: camping examples/blog.rb
$blog_url   = 'http://localhost:3301/edit'
$post_id    = '1'
$post_title = 'BOOM!!!11'
$post_body  = '...'

puts Net::HTTP.post_form(
  URI.parse( $blog_url ),
  {'post_id' => $post_id,
   'post_title' => $post_title,
   'post_body' => $post_body}
).body

Attachments

patch.diff (1.6 kB) - added by novaa 2 years ago.
the bugfix itself

Change History

Changed 2 years ago by novaa

the bugfix itself

Changed 2 years ago by novaa

  • summary changed from Security Hole in examples/blog to [PATCH ]Security Hole in examples/blog

Changed 2 years ago by novaa

  • summary changed from [PATCH ]Security Hole in examples/blog to [PATCH] Security Hole in examples/blog

Changed 2 years ago by why

  • status changed from new to closed
  • resolution set to fixed
  • milestone set to Camping 1.5

Thanks, you took Camping seriously and, in effect, made [153].

Note: See TracTickets for help on using tickets.