http://drupalcode.org/project/livefeedback.git/blob/refs/heads/7.x-1.x:/... - using raw POST data without any kind of validation or confirmation of a token for the current page/user. Even more worrisome since it involves saving files to the server using file_save_data() which does not do any munging at all.

The $content->data from http://drupalcode.org/project/livefeedback.git/blob/refs/heads/7.x-1.x:/... is not properly escaped and is submitted based on a raw POST variable ($_POST['browserSpecs']).

Anyone who has the 'use live feedback' permission (which I assume would include anonymous users as a common configuration), can now submit files to be saved without any kind of disk quotas (limited by PHP POST request size limits), and with untrusted data.

CommentFileSizeAuthor
#5 livefeedback-8146106-5.patch12.12 KBjessebeach
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented

Once these security issues are addressed, it would be great to discuss a potential merger into Feedback module in #1820492: Incorporate/merge livefeedback module into Feedback module :-)

markwk’s picture

markwk CreditAttribution: markwk commented

Just found this module! It is is pretty amazing and definitely should be promoted more. Does this security bug represent a blocker for creating at least a dev-release?

btopro’s picture

btopro CreditAttribution: btopro commented

seems like this is an issue for anonymous users (security issue). Any suggestions on solving the security concerns here?

Mariano’s picture

Mariano CreditAttribution: Mariano commented

Taking the day to work on this today, should have these security issues nailed by EOB. Thanks for the feedback.

jessebeach’s picture

jessebeach CreditAttribution: jessebeach commented
FileSize
livefeedback-8146106-5.patch12.12 KB

This is the patch Mariano applied to the 7.x-1.x branch.

jessebeach’s picture

jessebeach CreditAttribution: jessebeach commented

It looks like the patch in #5 address the security issues.

jessebeach’s picture

jessebeach CreditAttribution: jessebeach commented
Status: Active » Needs review
sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Needs review » Active

I didn't actually check the actual code yet, but was there a particular reason for processing raw POST values and not going with a regular Drupal form?

In any case, it looks like it would make sense to get back to [Feedback] #1820492: Incorporate/merge livefeedback module into Feedback module soon-ish.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Active » Needs review