1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

In Xenforo Photopost Any user can be logged in as admin

Discussion in 'Content Management System' started by shabbir, May 11, 2014.

  1. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,292
    Likes Received:
    365
    Trophy Points:
    83
    When working for photopost for a client found a bug in Photopost when integrated with Xenforo where any user with the same IP as admin can login as admin and perform all admin operations on photos.

    In the file forums/xenforo.php on line 317 the code is as follows:
    Code:
    $query2 = "SELECT user_id FROM {$Globals['dprefix']}session_activity WHERE ip = '{$session_data['ip']}'";
    $results = ppmysql_query($query2,$ppdb_link);
    list( $cookuser) = $ppdb['fetch_row']($results);
    
    It fetches the user id of the user based on the session_activity where user's ip match the ip address of the current session after getting the user id, it queries the usergroups permission table to fetch the user permission. Now if the user is on the same ip as Admin, the user gets the permission of the admin and he can modify edit / modify as well as delete photos from photopost.

    The solution that I used was to comment the above 3 lines and use the user id used using the session data. i.e. adding the following line just after the above 3 lines.
    Code:
    $cookuser = $session_data['user_id'];
    
    I tried posting the same in photopost bugs but as I don't have photopost pro account I could not do it but will definitely try to email them about the issue.
     

Share This Page