NineChime forum
Furry stuff, oekaki stuff, and other stuff.
You are not logged in.
#1 12-14-2011 00:27:07
- Roh
- Guest
Picture issue in Wakintaki 1.5.5?
Hi there,
I've sent an email to, what i believe, is the individual in charge of Wakintaki but I thought i should make a summary post here in case that mailbox isn't checked often. I think i've come across a security vulnerability in my Wakintaki wherein any level user (they would have to be a user) can circumvent usersettings and picture settings to upload a picture, edit another person's picture, and edit their picture info. In essence it allows a person to upload when they shouldn't be allowed to AND/OR edit another person's already published picture despite picture settings. I won't put details here since i've already included them in the email but i thought it might be of interest. Hopefully i've acted correctly in placing a note here as well.
So please check your email account for details. I can be reached at r o b e r t (d o t) l o r a y n (a t) g m a i l (d o t) c o m
Thanks in advance.
#3 12-14-2011 04:30:58
- Waccoon
- Administrator
Re: Picture issue in Wakintaki 1.5.5?
I've received your e-mail. The way you described it to me is that you can import someone else's picture into the applet and upload it as a new post under your own name. This is true, and it's a feature of the applets that I cannot prevent or disable. However, it is not possible to modify image data that already exist on the board under another member's account. This is because a userID and hashed password are required to edit any image. Some improvements can be made here, but it's an administration issue rather than a security problem.
There is another issue you mentioned in your e-mail that I will have to investigate tomorrow. I'll get back to you on that, as well as your question about custom templates.
coldZou wrote:
There was a serious vulnerability also i've called 'owner mutiny' where you could suppress, even banning the owner if you were a moderator
Yes, this was patched a while ago in Wacintaki 1.5.7 and Wax Poteto v5.8.4.
Offline