Hi,
I have recently experience lots of problems with my very old articles (book pages) popping up on top of the front page.
After investigation I found that a new revision of the articles has been created by anonymous user with the only change being publication date/time set to current time.
After a closer look to log files I have also found entries such as:
User Anonymous
Location http://www.tigase.org/node/19/rearrange
Duplicate entry 'content/maven-2x-support-' for key 'dst_language' query: path_set_alias /* Anonymous : path_set_alias */ INSERT INTO url_alias (src, dst, language) VALUES ('node/197', 'content/maven-2x-support', '') in /home/webapp/drupal-sites/modules/path/path.module on line 112.
The 'Rearrange' page shows on all book pages, even for anonymous users, even if they permissions are set not to allow anonymous user to rearrange book pages. Of course if you load the 'Rearrange' page as anonymous to your browser you can not change arrangement BUT I think that some bots can get around the JavaScript and somehow they can actually execute some changes over the pages.
For now I have deactivated DraggableViews Book handler module on my website.
I hope this helps.
Comments
Comment #1
sevi commentedWhenever a form_submit is performed - by human or by machine - the permissions are checked. So bots would have to deal with this permission check too.
But even if this permission check failed, the attacker WOULD NOT be able to access nodes (well-configured permissions assumed):
In order to save any value related to a "draggable" view DraggableViews requires a valid form-id in advance. But building the form (and hence registering the form-id) requires access to the Views display (the display, where your style plugin is set to "Draggable Table").
Furthermore Draggableviews never changes values of nodes directly.
For example the Book-handler uses
node_save($node);to change the menu structure. Andnode_save($node);includes permissions checks for sure.So in my point of view it's impossible that DraggableViews causes an unauthorized "INSERT INTO.."
Note that the reason why the "Rearrange" tab appears for anonymous users deals with the menu system, not with DraggableViews.
Greetings,
sevi