Security Bug WEBYEP_EDIT=yes in URL

General discussions about WebYep
ritasboss
Posts: 15
Joined: Mon Jun 06, 2011 12:00 pm

Security Bug WEBYEP_EDIT=yes in URL

Postby ritasboss » Tue Apr 08, 2014 4:57 pm

Hi, I just found out that also as a regular visitor without WebYep Login you can see contents that normally ist set to "do not represent" in WebYep. Yust append to the URL the following snippet:
WEBYEP_EDIT=yes
Second effect: If in the WY configuration "$ webyep_bShowDisabledEditButtons" is set to "true" the visitor also sees inactive WY editing buttons.

WY version 1.7.2

Can anybody help? I swear I used the forum search feature before this post but found nothing.

Max
Rank 4
Rank 4
Posts: 163
Joined: Wed Nov 08, 2006 10:39 pm
Location: UK
Contact:

Re: Security Bug WEBYEP_EDIT=yes in URL

Postby Max » Thu Apr 10, 2014 12:01 am

Hi ritasboss
I don't think this is a security bug because you need more than the WEBYEP_EDIT=yes
Its true this will unlock the lock but it wont unlock the actual webyep elements because you need a number after the yes element and that could be anything.
Show disabled edit buttons is for editors that have partial editing access and this is usually set up in the config file. So its a way to show there is more to edit if you had full administration access.
all the best max

ritasboss
Posts: 15
Joined: Mon Jun 06, 2011 12:00 pm

Re: Security Bug WEBYEP_EDIT=yes in URL

Postby ritasboss » Thu Apr 10, 2014 9:54 am

Hi Max,
thank you for your answer. You are absolutely right. Visitors without administration access can't edit content. So it's not really a security bug. But (with or without a number afer the yes element) content which in WY-loop-elements is set to "do not display" is shown. That turned to a really big problem for one of my clients because some content that was just "parked" and planned to be shown on a later date allready is known to public.
I told all my clients to precautionary delete those parts. They are not very happy with this idea ;-)
I know the sence of displaying disabled edit-buttons ;) I already set this feature to "false" in all my clients config files.
Still I'm looking for a solution ;)

Max
Rank 4
Rank 4
Posts: 163
Joined: Wed Nov 08, 2006 10:39 pm
Location: UK
Contact:

Re: Security Bug WEBYEP_EDIT=yes in URL

Postby Max » Thu Apr 10, 2014 11:15 am

Ahh I see what you mean
I will have a think about how that could be avoided
kind regards max

ritasboss
Posts: 15
Joined: Mon Jun 06, 2011 12:00 pm

Re: Security Bug WEBYEP_EDIT=yes in URL

Postby ritasboss » Thu Apr 10, 2014 5:57 pm

Hi Max,
Thank you very much! I'm very very glad that you are interested in solving this problem.

ritasboss
Posts: 15
Joined: Mon Jun 06, 2011 12:00 pm

Re: Security Bug WEBYEP_EDIT=yes in URL

Postby ritasboss » Mon Apr 14, 2014 11:24 am

i discovered another effect ...
now the very helpfull funktion "webyep_bIsEditMode()" becomes a chatterbox. It returns TRUE, wenn die above snippet is used ... no matter if the visitor has administration access or not.
I often use this funktion for displaying hints for editors - originally only those with admin access ;-) or to decide where to place a WY-text-element for example used for meta-tags (TRUE > body, FALSE > head)
I'm thinking about changing the use of "if (webyep_bIsEditMode()){ ...} " to the following code in all my client's websites ... arrgh.

Code: Select all

if(isset($_SESSION['WebYepIsAuthorized']) && $_SESSION['WebYepIsAuthorized'] == 1){ ... }

ritasboss
Posts: 15
Joined: Mon Jun 06, 2011 12:00 pm

Re: Security Bug WEBYEP_EDIT=yes in URL

Postby ritasboss » Thu Apr 24, 2014 12:16 pm

Thanks a lot Johannes Tiefenbrunner! He postet a solution on https://github.com/obdev/WebYep


Return to “WebYep (english)”

Who is online

Users browsing this forum: No registered users and 4 guests