Web Wiz Support and Community Forums : Edit -> delete url change BUG

Edit -> delete url change BUG : As I stated I hadn't ctested...

Thu, 28 Oct 2004 09:42:32 +0000

Author: ljamal
Subject: 12295
Posted: 28 October 2004 at 9:42am

As I stated I hadn't ctested it. Here is the tested code that works.

' LJAMAL MOD 26 OCT 2004
' CORRECTS THE ABILITY FOR USERS TO DELETE POST BY CHANGING URL
If lngDelMsgAuthorID = lngLoggedInUserID then
     Dim RSCheck
     Set RSCheck = Server.CreateObject("ADODB.Recordset")
     strSQL = "select " & strDbTable & "Thread.Thread_ID From "& strDbTable & "Thread WHERE " &_
                  strDbTable &"Thread.Topic_ID in (select "&strDbTable &"Thread.Topic_ID from " & strDbTable & "Thread where "&_
                  strDbTable & "Thread.Thread_ID =" & lngMessageID & ") and "&_
                  strDbTable &"Thread.Message_date > (select "&strDbTable &"Thread.Message_date from " & strDbTable & "Thread where "&_
                  strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"

     RSCheck.Open strSQL, adoCon

     if not RSCheck.EOF then
           blnDelete = False
     end if
     RSCheck.Close
     Set RSCheck = Nothing
end if
' END MOD

Edited by ljamal

Edit -> delete url change BUG : I have cracked it :), it was not...

Thu, 28 Oct 2004 07:42:31 +0000

Author: theSCIENTIST
Subject: 12295
Posted: 28 October 2004 at 7:42am

I have cracked it :), it was not the simple patch (couple of lines of code) I wanted, but it works fine.

Again insert this code after line 147 in delete_post.asp:

'/* =================================================== */

'/* Patch by theSCIENTIST on 28 October  2004         &n bsp;  */

'/* =================================================== */

'/* This patch fixes the vulnerability in which         */

'/* a user could delete his own posts, regardless of    */

'/* wether theres replies to it or not. The Author      */

'/* can still delete the post if its the only post      */

'/* in that Topic or if its the last post in the Topic. */

'/* Admins priviledges have not been  changed.        &nbs p;  */

'/* =================================================== */



'/* If the user requesting deletion is the same as the user that posted the post to be deleted then... */

If lngDelMsgAuthorID = lngLoggedInUserID Then 



  Dim ducbRS, ducbTopic, ducbDelPostDate, ducbCount, ducbLastPostDate



  '/* This first query is only needed to determine the date of the  */

  '/* post to be deleted, and to get the Topic that post belongs to */

  Set ducbRS = Server.CreateObject("ADODB.Recordset") 



  strSQL = "SELECT " & strDbTable & "Thread.Thread_ID, " & strDbTable & "Thread.Topic_ID, " & strDbTable & "Thread.Author_ID, " & strDbTable & "Thread.Message_date "

  strSQL = strSQL & "FROM " & strDbTable & "Thread "

  strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID=" & lngMessageID & ";"



  ducbRS.Open strSQL, adoCon

  

  If Not ducbRS.EOF Then

    ducbTopic = ducbRS("Topic_ID")

    ducbDelPostDate = ducbRS("Message_date")

  End If



  '/* Close recordset */

  ducbRS.Close

  Set ducbRS = Nothing



  '/* This second query will get and count all posts belonging to the Topic in question */

  Set ducbRS = Server.CreateObject("ADODB.Recordset")



  strSQL = "SELECT " & strDbTable & "Thread.Thread_ID, " & strDbTable & "Thread.Topic_ID, " & strDbTable & "Thread.Author_ID, " & strDbTable & "Thread.Message_date "

  strSQL = strSQL & "FROM " & strDbTable & "Thread "

  strSQL = strSQL & "WHERE " & strDbTable & "Thread.Topic_ID=" & ducbTopic & ";"



  '/* Dynamic recorset because we need to ride it */

  ducbRS.CursorType = 2



  ducbRS.Open strSQL, adoCon



  '/* Do the counting */

  Do While Not ducbRS.EOF

    ducbCount = ducbCount + 1

    ducbRS.MoveNext

  Loop



  '/* If theres more than 1 post in this Topic then... */

  If ducbCount > 1 Then



    '/* Move to last post and collect its date */

    ducbRS.MoveLast

    ducbLastPostDate = ducbRS("Message_date")



    '/* If the date of the post to be deleted is older than the last post, in effect if  */

    '/* this is true then theres a new reply to the post, so dont allow delete operation */

    If ducbDelPostDate < ducbLastPostDate Then

      blnDelete = False

    End If



  End If



  '/* Close recordset */

  ducbRS.Close

  Set ducbRS = Nothing



End If

'/* =================================================== */

I had to make 2 DB calls because the Topic_ID is not passed along from the delete request, but you can change the request to include a TID and skip the first DB query if you want.

NOTE: The parsing of this post actually disrupts the code and it may add spaces to it, so if you want to see the code ready for cut and paste I have set a text file of it here:

View code

You can see in the queries that I'm requesting the Author_ID also even thou I don't use it, this was because I wanted to make it so if the same Author posts several posts and no other Author replies to it, he can delete at will, I guess I'll do this later on.

Tell me how it preforms.

Edit -> delete url change BUG : ljamal: Your attempt did not work,...

Thu, 28 Oct 2004 04:34:26 +0000

Author: theSCIENTIST
Subject: 12295
Posted: 28 October 2004 at 4:34am

ljamal: Your attempt did not work, I have tested it, also your query syntax was erroring out, it should've been:

strSQL = "select " & strDbTable & "Thread.Thread_ID From " & strDbTable & "Thread WHERE " &_

strDbTable & "Thread.Message_date > (select " & strDbTable & "Thread.Message_date where " &_

strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"

I'm also trying to fix this with a simple to use patch, will reply when done.

Edit -> delete url change BUG : Try this right after line 147...

Tue, 26 Oct 2004 15:20:39 +0000

Author: ljamal
Subject: 12295
Posted: 26 October 2004 at 3:20pm

Try this right after line 147 in delete_post.asp
It should work, but I haven't tested it. Basically it checks to see if the threads has any posts after the user's post. If there are posts then only an admin or mod can delete the post.

Let me know if it works and I'll release it as a MOD or maybe borg will add it to correct the current release.

' LJAMAL MOD 26 OCT 2004
' CORRECTS THE ABILITY FOR USERS TO DELETE POST BY CHANGING URL
If lngDelMsgAuthorID = lngLoggedInUserID then
     Dim RSCheck
     Set RSCheck = Server.CreateObject("ADODB.Recordset")
     strSQL = "select " & strDbTable & "Thread.Thread_ID From "& strDbTable & "Thread WHERE " &_
                 strDbTable &"Thread.Topic_ID in (select "&strDbTable &"Thread.Topic_ID from " & strDbTable & "Thread where "&_
                 strDbTable & "Thread.Thread_ID =" & lngMessageID & ") and "&_
                 strDbTable &"Thread.Message_date > (select "&strDbTable &"Thread.Message_date from " & strDbTable & "Thread where "&_
                 strDbTable & "Thread.Thread_ID =" & lngMessageID & ");"

     RSCheck.Open strSQL, adoCon

     if not RSCheck.EOF then
           blnDelete = False
     end if
     RSCheck.Close
     Set RSCheck = Nothing
end if
' END MOD

This has been updated to correct the flawed code. The code above has been tested and corrects the flaw.

Edited by ljamal

Edit -> delete url change BUG : For a temp fix you could set edit...

Tue, 26 Oct 2004 14:04:43 +0000

Author: MadDog
Subject: 12295
Posted: 26 October 2004 at 2:04pm

For a temp fix you could set edit and delete permissions to admin only.That would make it so admins could be the only one allowed to edit ordelete posts.

Edit -> delete url change BUG : I am working on it, but as it...

Tue, 26 Oct 2004 05:27:27 +0000

Author: WebWiz-Bruce
Subject: 12295
Posted: 26 October 2004 at 5:27am

I am working on it, but as it will mean allot of work and changing ofcode there will not be a quick fix, so it will not be available for thepresent version.

Edit -> delete url change BUG : But one or more others could do...

Mon, 25 Oct 2004 18:25:59 +0000

Author: Marino2
Subject: 12295
Posted: 25 October 2004 at 6:25pm

But one or more others could do the same in the future, the problem will exists until it is solved...

Well, for the moment I've forbidden the deletion of posts, except for mods and admins and the trick could not be used anymore.
Hope someone will do a patch for that, thanks in advance.

Cheers

Edit -> delete url change BUG : Then maybe it's time to suspend...

Mon, 25 Oct 2004 11:01:33 +0000

Author: WebWiz-Bruce
Subject: 12295
Posted: 25 October 2004 at 11:01am

Then maybe it's time to suspend this persons account to prevent him from doing such things.

Edit -> delete url change BUG : Thank you, because he's know...

Mon, 25 Oct 2004 09:46:56 +0000

Author: Marino2
Subject: 12295
Posted: 25 October 2004 at 9:46am

Thank you, because he's know sending MP's with modified links hidden behind pictures or fake links to others members and then they delete their own messages without knowing

Edit -> delete url change BUG : I shall look into the problem. ...

Sat, 23 Oct 2004 14:10:38 +0000

Author: WebWiz-Bruce
Subject: 12295
Posted: 23 October 2004 at 2:10pm

I shall look into the problem.