Posted by deviantintegral on November 3, 2011 at 3:20pm
1 follower
| Project: | QTChat |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
| Issue tags: | Security improvements |
Issue Summary
I've found two security issues in this module.
- QTC uses a series of GET requests to update data on the server. The requests don't use tokens to validate the request. This means that any user can set the status of any other user, or potentially view other users' queued messages through XSS. Of note are qtc_ajax_heartbeat() and qtc_ajax_set_online_status().
- Along the same lines, qtc_ajax_set_online_status() doesn't validate the user account against the session. It also doesn't validate the 'op' parameter, so any integer can be passed in, leading to corrupt data in the {qtc_stats} table. For example, while logged in as UID 4, I could set UID 1's chat status by pinging http://localhost/drupal6/qtc/ajax/set-online-status?act=4&op=10&id=1
I originally filed this with the security team, but there isn't a stable release of this module. This issue has been cleared to be filed publicly in this queue by them.