Skip to main content
Topic: Security bug in SMF present in Elk as well (Read 2057 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Security bug in SMF present in Elk as well

I'm referring to:
https://github.com/SimpleMachines/SMF2.1/issues/5534

It's a bug present in 2.0 as well, so quite a long story, nothing new.
Basically: any reply to a moderated topic, posted by someone with permission to approve posts is visible in action=recent and in the search by everybody.

Since it has been disclosed already it's pointless to keep it hidden.

Steps to reproduce:
  • have post moderation active,
  • create a new topic with a user that is post-moderated (the topic will be unapproved),
  • login with an account that has permission to post without moderation (e.g. admin),
  • reply to the topic,
  • logout,
  • go to action=recent and see the message posted by the admin.

Workaround: if you have post-moderation active, instruct your moderators to use the "unapprove" button on each reply done to a moderated topic.
This way all the posts will be unapproved and visible only to the people that have permissions to view unapproved posts.

To verify the checkbox "Approve this post" doesn't seem to be honored if not checked (i.e. if you want to post the message directly in unapproved status you cannot).
Bugs creator.
Features destroyer.
Template killer.

Re: Security bug in SMF present in Elk as well

Reply #1
Considering this bug, I would squeeze the scope of 1.1.6 to anything that is already there, this one and another security issue reported a while ago that (not terribly important) and anything that can be fixed by... Sunday night I'd say.
That way it should be possible to have a release out by the end of next week.

@ahrasis while reviewing the bugs, did you see anything that could be considered mandatory to have in 1.1.6? (i.e. things that are causing either data loss or big problems)
Bugs creator.
Features destroyer.
Template killer.

Re: Security bug in SMF present in Elk as well

Reply #2
I don't see any from my side so far, though those who've seen one should highlight theirs, if any.

Re: Security bug in SMF present in Elk as well

Reply #3
I've been a bit too optimistic... :-\
Oh well, the security fixes are ready here locally.
I've cleaned up the list for 1.1.6, something more can be removed depending on what can be fixed.

@Spuds what do you think, all the remaining should be fixed or we can release what we have and leave the rest for later?
Bugs creator.
Features destroyer.
Template killer.

 

Re: Security bug in SMF present in Elk as well

Reply #4
The culled list seems reasonable to address, a couple of the unconfirmed ones will likely get moved to 1.1.7 unless some new information shows up.   We can see what else we can fix this week, defer the rest and try for a release next weekend?
Squish squish. squish, squish, squish.
Find a bug,
Make a wish.