RedJumpsuit

jobberBase custom development and support

 

Code School

New jobberBase security hole found

dangersomeone from the jobberBase forum recently reported a security hole that i was able to validate as 100% accurate.

i will not go into details (in case someone takes advantage of this vulnerability before the job board owners can update their sites) and will just provide a temporary fix so you can immediately protect your site. note that this is a temporary solution and not the official fix released by jobberBase.

open /_templates/default/publish-confirmation.tpl and look for this block:

<h4>{$translations.publish.options_title}</h4>
<p>
    {$translations.publish.options_info}:
</p>
<ul>    
    <li><a href="{$BASE_URL}post/{$CURRENT_ID}/{$auth}/" title="{$translations.publish.edit}">&raquo; {$translations.publish.edit}</a></li>
    <li><a href="{$BASE_URL}deactivate/{$CURRENT_ID}/{$auth}/" title="{$translations.publish.deactivate}">&raquo; {$translations.publish.deactivate}</a></li>
</ul>

this is the offending block and should be removed temporarily. you should backup this file and store it somewhere so that when the official fix is released, you can restore the file you modified.

6 Comments

Code School

  1. I have searched the file mentioned above but cannot find that block.

    Are you sure this is the right file?

  2. yes it’s the correct file. if you are on v1.9.1 and using the default template with no modifications…it should be from Line 43 to Line 50

  3. I just dicovered some spam-links within new -tags on de ‘pages’-section of my site. All the pages (about, contact etc) were infected.

    Has this something to do with your security hole ?

  4. the best solution is to remove this block of code, activating the ads through the administration panel, and sending an email with the relevant codes (edit and disable) …

  5. I just downloaded and installed 1.9.1 a week ago, August, 2013. Is this still an issue a year after this post was published or was the fix included in the latest 1.9.1 (which I realize sounds dumb because it would likely be a newer version number)? If its not included, you said the code block should be removed temporarily until the official fix is released. Can you say when it will be released or can you email me with the fix? I removed the code block and I don’t see any change in posting functions. Should I see something new? Thanks!

  6. Hi,

    No, as far as I can see this security hole is also in the latest version.

    Basically anybody can get the edit or deactivation links for any ad on your site. It’s a huge security hole. I will see if I can come up with a fix.

    Cheers
    Bryan

Leave a Response