Külföldi torrent oldalak AnimeBytes | AB Security issue regarding images uploaded to Mei

A témát ebben részben 'Torrent oldalak hírei' posztoló hozta létre. Ekkor: 2018. szeptember 12..

  1. posztoló /

    Csatlakozott:
    2016. április 14.
    Hozzászólások:
    17,960
    Kapott lájkok:
    45
    Beküldött adatlapok:
    0
    Today it came to our attention that any authenticated user (that is user with an account on this site) could view list of images uploaded to Mei (normally accessible on https://animebytes.tv/user.php?action=mei_uploads) for any other user after performing manipulation of URI GET parameters.

    The issue was introduced on 01.07.2017 14:05 according to our Git logs. For detailed genesis of the issue please look below this announcement. After checking our logs spanning two weeks, we've found no indication of anyone using this vulnerability recently. In addition, this vulnerability was not reported to us - we've found it.

    As such, we would like to remind you that you should not store any personally-identifiable images on our site and ask you to check your uploaded images and remove any that are. Additionally, we're taking this opportunity to inform your of a new feature on Mei - EXIF tag removal. While Mei was never intended to store any pictures made by devices that do store EXIF data, many people do it regardless. To make sure their safety is not breached, we've decided to remove any EXIF data (which includes orientation and color scheme) from images being uploaded to Mei from now on (this does not include previously uploaded images - we have no resources to process 1TB of images).

    We're sorry for this situation.


    For those interested in genesis of this issue: mei_uploads.php upon receiving request to display list of images of other user than currently logged in, performs simple authorization check against current user class level. If it's found to be above minimum class level for Staff accounts, it will continue and allow to view other user images. Historically, we've used STAFF_CLASS definition in constants.php to define this value, however on 01.07.2017 a commit was pushed that removed this definition and moved it to private.ini configuration file. At the same time, search was done on all files inside codebase for simple replacement of STAFF_CLASS definition with function reading configuration value. It seems that all files except mei_uploads were changed for unknown to us reason. As a result, for over a year mei_uploads was performing its authorization check by comparing int value against null value, hence allowing any registered user to pass.