[Xerte-dev] Re: SECURITY PATCH for upload.php

Pat @ Pgogy xerte at pgogywebstuff.com
Wed Mar 13 22:22:05 GMT 2013


Hello,

Once I feel a bit better will look at this - bit under the weather. Can flash access the php cookie?

Pat

Pgogy Webstuff - http://www.pgogywebstuff.com
Makers of web things of a fair to middling quality

On 13 Mar 2013, at 11:30, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:

> Hi Pat
> 
> Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT...
> 
> If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id
> 
> Until we start session in upload.php though we can't tell if we are in firefox or using moodle..
> 
> I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present...
> 
> Regards
> 
> John Smith
> Learning Technologist
> School of Health and Life Sciences
> 
> Sent from Samsung Galaxy SII
> 
> 
> 
> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:
> 
> 
> Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before
> 
> Pgogy Webstuff - http://www.pgogywebstuff.com
> Makers of web things of a fair to middling quality
> 
> On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:
> 
>> Hi Ron,
>> 
>> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it...
>> 
>> Regards,
>> 
>> John Smith | Learning Technologist
>> Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University
>> Cowcaddens Road | Glasgow | G4 0BA
>> ________________________________________
>> From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk]
>> Sent: 12 March 2013 20:31
>> To: 'For Xerte technical developers'
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> Hi John
>> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication.
>> 
>> So I guess this is either session related or a js clash?
>> 
>> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue.
>> 
>> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too.
>> 
>> Cheers
>> Ron
>> 
>> -----Original Message-----
>> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
>> Sent: 12 March 2013 20:17
>> To: 'For Xerte technical developers'
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> Hi John
>> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But...
>> 
>> I'm almost hesitant to mention this...
>> 
>> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning.
>> 
>> Cheers
>> Ron
>> 
>> -----Original Message-----
>> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> Sent: 12 March 2013 19:56
>> To: xerte-dev at lists.nottingham.ac.uk
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> Hi Ron
>> 
>> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash...
>> 
>> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else...
>> 
>> Regards
>> 
>> John Smith
>> Learning Technologist
>> School of Health and Life Sciences
>> 
>> Sent from Samsung Galaxy SII
>> 
>> 
>> 
>> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:
>> 
>> 
>> Hi
>> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas?
>> Ron
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> Sent: 11 March 2013 16:18
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff.
>> 
>> 
>> 
>> I've added some alerts for now so you can see what gets tripped, we can take these out later, and I’ve commited the wizard with these in ,
>> 
>> 
>> 
>> listener.onComplete = function(file:FileReference):Void  {
>> 
>> 
>> 
>>     Alert.show("Upload successful");
>> 
>> 
>> 
>>     --etc--
>> 
>> 
>> 
>> }
>> 
>> 
>> 
>> 
>> 
>> listener.onHTTPError = function(file:FileReference):Void  {
>> 
>> 
>> 
>>     Alert.show("Upload failed: HTTPError");
>> 
>> 
>> 
>>     --etc--
>> 
>> 
>> 
>> }
>> 
>> 
>> 
>> listener.onIOError = function(file:FileReference):Void  {
>> 
>> 
>> 
>>     Alert.show("Upload failed: IOError");
>> 
>> 
>> 
>>     --etc--
>> 
>> 
>> 
>> }
>> 
>> listener.onSecurityError = function(file:FileReference, errorString:String):Void  {
>> 
>> 
>> 
>>     Alert.show("Upload failed: Security Error");
>> 
>> 
>> 
>>     --etc--
>> 
>> 
>> 
>> }
>> 
>> 
>> 
>> -----Original Message-----
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> Sent: 11 March 2013 15:42
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> 
>> Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data);
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> private function init():void {
>> 
>>               fileRef = new FileReference();
>> 
>>               fileRef.addEventListener(Event.SELECT, fileRef_select);
>> 
>>               fileRef.addEventListener(Event.COMPLETE, fileRef_complete);
>> 
>>               fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError);
>> 
>>               fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData);
>> 
>> 
>> 
>>               urlReq = new URLRequest();
>> 
>>               urlReq.url = "http://localhost:8300/fileref/uploader.cfm";
>> 
>>           }
>> 
>> 
>> 
>>           private function fileRef_uploadCompleteData(evt:DataEvent):void {
>> 
>>               var strData:String = StringUtil.trim(evt.data);
>> 
>>               var vars:URLVariables = new URLVariables(strData);
>> 
>>               Alert.show(vars.fileName, "fileName");
>> 
>>           }
>> 
>> 
>> 
>> 
>> 
>> Regards,
>> 
>> 
>> 
>> John Smith
>> 
>> Learning Technologist
>> 
>> School of Health & Life Sciences
>> 
>> Glasgow Caledonian University
>> 
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> 
>> Sent: Monday, March 11, 2013 3:19 PM
>> 
>> To: For Xerte technical developers
>> 
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> 
>> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example...
>> 
>> 
>> 
>> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out...
>> 
>> 
>> 
>> Regards,
>> 
>> 
>> 
>> John Smith
>> 
>> Learning Technologist
>> 
>> School of Health & Life Sciences
>> 
>> Glasgow Caledonian University
>> 
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> 
>> Sent: Monday, March 11, 2013 2:32 PM
>> 
>> To: For Xerte technical developers
>> 
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> 
>> If I try and upload php files, onComplete still fires...
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> 
>> Sent: 11 March 2013 14:27
>> 
>> To: For Xerte technical developers
>> 
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> 
>> Hold on, I'll see if I can get the events to trip,
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> 
>> Sent: 11 March 2013 14:20
>> 
>> To: For Xerte technical developers
>> 
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> 
>> Yeah, it’s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway...
>> 
>> 
>> 
>> Regards,
>> 
>> 
>> 
>> John Smith
>> 
>> Learning Technologist
>> 
>> School of Health & Life Sciences
>> 
>> Glasgow Caledonian University
>> 
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>> 
>> Sent: Monday, March 11, 2013 1:57 PM
>> 
>> To: For Xerte technical developers
>> 
>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>> 
>> 
>> 
>> No way to receive whether the upload was successful or not?
>> 
>> 
>> 
>> Regards,
>> 
>> 
>> 
>> John Smith
>> 
>> Learning Technologist
>> 
>> School of Health & Life Sciences
>> 
>> Glasgow Caledonian University
>> 
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
>> 
>> Sent: Monday, March 11, 2013 1:48 PM
>> 
>> To: For Xerte technical developers
>> 
>> Subject: [Xerte-dev] Re: SECURITY PATCH for



More information about the Xerte-dev mailing list