Fork me on GitHub
Subscribe 3

Ticket #1113 (fixed bug)

Vulnerability to rebuild the search index

  • Created: 2018-01-27 10:02:25
  • Reported by: Visman
  • Assigned to: Franz
  • Milestone: 1.5.11
  • Component: security
  • Priority: normal

Message

Hello world :)
[color=#FFFFFF][img]https://fluxbb.org/forums/admin_maintenance.php?action=rebuild&i_per_page=1000000&i_start_at=1[/img][/color]

and the admin starts re-indexing a million messages on the forum wink

History

Franz 2018-02-07 16:57:36

  • Milestone set to 1.5.11.

Nice find. wink
Sorry, I've been sick, hence the slow reply.

So this means we need a CSRF token on that route as well?

Visman 2018-02-07 17:11:14

Yes.

nsuchy 2018-07-17 17:37:22

  • Uploaded patch 0001-Patch-rebuild-index-CSRF.patch. (view)

Attached is a .patch file to resolve the issue.

Franz 2018-07-17 19:05:14

  • Owner set to nsuchy.

Franz 2018-07-17 21:54:12

  • Status changed from open to fixed.

Applied locally. Will push this for the release.

Visman 2018-07-18 04:55:14

The patch will not work.
See the solution for my FluxBB https://github.com/MioVisman/FluxBB_by_ … 474b459d06

Franz 2018-07-18 08:58:43

@Visman: Can you clarify why?

nsuchy 2018-07-18 17:01:44

Hi Visman,

We appreciate the feedback on our patch as well as the alternate patch you proposed. Would you mind letting us know why you recommend checking the referer rather than a CSRF token?

Cheers,
Nathaniel

Visman 2018-07-18 17:36:09

I'm not talking about this.
There is a loop that goes through the posts. And every cycle iteration must be protected, not just the form.

Franz 2018-07-18 21:00:17

  • Status changed from fixed to open.

@nsuchy: Can you take care of that, please? (Using the token instead of the referrer check.)

Franz 2018-12-29 22:46:08

  • Owner changed from nsuchy to Franz.

Franz 2018-12-29 22:50:37

  • Status changed from open to fixed.

Commit 085fb91 to fluxbb master

Always confirm referrer on search index rebuild

Because of the extra condition, somebody could trick the admin into
rebuilding the search index **without emptying the index first**,
potentially causing high server load.

Fixes #1113.

Franz 2018-12-29 22:53:36

Commit 633d100 to fluxbb master

Check for CSRF token when rebuilding search index

Refs #1113.

Franz 2018-12-31 14:38:54

  • Visibility set to public.