http://drupalcode.org/project/livefeedback.git/blob/refs/heads/7.x-1.x:/... - using raw POST data without any kind of validation or confirmation of a token for the current page/user. Even more worrisome since it involves saving files to the server using file_save_data() which does not do any munging at all.
The $content->data from http://drupalcode.org/project/livefeedback.git/blob/refs/heads/7.x-1.x:/... is not properly escaped and is submitted based on a raw POST variable ($_POST['browserSpecs']).
Anyone who has the 'use live feedback' permission (which I assume would include anonymous users as a common configuration), can now submit files to be saved without any kind of disk quotas (limited by PHP POST request size limits), and with untrusted data.
Comment | File | Size | Author |
---|---|---|---|
#5 | livefeedback-8146106-5.patch | 12.12 KB | jessebeach |
Comments
Comment #1
sunOnce these security issues are addressed, it would be great to discuss a potential merger into Feedback module in #1820492: Incorporate/merge livefeedback module into Feedback module :-)
Comment #2
markwk CreditAttribution: markwk commentedJust found this module! It is is pretty amazing and definitely should be promoted more. Does this security bug represent a blocker for creating at least a dev-release?
Comment #3
btopro CreditAttribution: btopro commentedseems like this is an issue for anonymous users (security issue). Any suggestions on solving the security concerns here?
Comment #4
Mariano CreditAttribution: Mariano commentedTaking the day to work on this today, should have these security issues nailed by EOB. Thanks for the feedback.
Comment #5
jessebeach CreditAttribution: jessebeach commentedThis is the patch Mariano applied to the 7.x-1.x branch.
Comment #6
jessebeach CreditAttribution: jessebeach commentedIt looks like the patch in #5 address the security issues.
Comment #7
jessebeach CreditAttribution: jessebeach commentedComment #8
sunI didn't actually check the actual code yet, but was there a particular reason for processing raw POST values and not going with a regular Drupal form?
In any case, it looks like it would make sense to get back to [Feedback] #1820492: Incorporate/merge livefeedback module into Feedback module soon-ish.
Comment #9
sun