We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

(Possible) serious security issue in Jot 1.1.4

    • 30215
    • 79 Posts
    tobice Reply #1, 13 years, 10 months ago
    I use Jot for comments on my page, only for registered users. However several posts have ’createdby’ field empty, which should be impossible. After some digging I found, that it’s not really difficult to avoid this restriction.

    1) I login and go to the page with comments
    2) I open another page of that web and logout
    3) Then I return to the first page with comments, fill in the form and post comment
    4) Jot normally inserts new comment in the database but as I am logged out, the ’createdby’ field remains blank (zero).

    I guess Jot checks whether user is logged in only when displaying form. Once the form is submitted, Jot doesn’t care anymore about the user. 

    <h2 id="comments" class="border">Comments</h2>
[!Jot? &action=`comments` &customfields=`name,email` &subscribe=`1` &pagination=`10` &canmoderate=`Site Admins` &canpost=`Registered` &css=`0` !]

<h2 class="border">Post new comment</h2>
[!Jot? &action=`form` &subscribe=`1` &customfields=`name,email` &canmoderate=`Site Admins` &canpost=`Registered` &debug=`0` &cssFile=`assets/templates/svoboda/styles/comments.css` !]


    Am I doing something wrong or is it really a bug? Actually I really think this behavior is bad, the question is, whether I have to hack the Jot code or there is another way how to secure my web.
      -- sorry for my english, bad teacher smiley
    • sottwell Reply #2, 13 years, 10 months ago
      Well, it’s not pretty, but since the user has to log on in the first place, I don’t see where it’s going to actually hurt anything. And I am pretty sure that if captcha is on, then it would fail since the SESSION captcha value would be gone.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 30215
        • 79 Posts
        tobice Reply #3, 13 years, 10 months ago
        The problem is that user can post comments anonymously. I can’t block him as I don’t know who it was. I can ban only the IP address but it is also not a solution because I don’t want to block many other users using the same IP. And I use captcha only during the registration, once the user is registered it has no meaning to use it again. It would be annoying for users.
          -- sorry for my english, bad teacher smiley
          • 30215
          • 79 Posts
          tobice Reply #4, 13 years, 10 months ago
          Ok, here is my fix. I added four simple lines which check whether the user can post. You can either download attached file or just add following code to your jot.class.inc.php:

          // line 485
if ($saveComment && !$this->canPost) {
    $this->form['error'] = 4; // Comment rejected 
    return;
}

            -- sorry for my english, bad teacher smiley