neue medienordnung plus
  last edited: Tue, 14 Nov 2017 02:59:07 -0500  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • I created Token TCA for channel A zat=tca
  • I open webpage WPB with token for channel A
  • I see protected content in webpage WPB
Hubzilla version 2.8.1

@Mike M. closed the issue https://github.com/redmatrix/hubzilla/issues/909 , but I mean, that is one bug, that Hubzilla display protected content in webpage WPB for visitor with Token TCA, that is legal for channel A. Because I created one token for access to channel A, not to channel B.

Similar to Login on Hubs:
  • one valid Login on hub https://hub.libranet.de/ be no permission for login on hub https://macgirvin.com/
  • I anticipate, that one valid token for https://hub.libranet.de/channel/nmoplus be no permission for https://hub.libranet.de/channel/wallzilla
I mean, The actuelle behavior of token solution is a danger for channel security:
malicious user from channel https://hub.libranet.de/channel/A can make one token TCB and get an access to token protected content on channel https://hub.libranet.de/channel/B

Token managament is located by channel owner A. This fact suggested, that the token from channel A is valide for channel A. I mean, that one average user assume, that the tokenized access to content protected their content. What mean you? Please vote pro or contra of this statement:

Token for channel A give no permission to access to via token accessible content from channel B

#tokenmanagement #token @Hubzilla Support Forum+ @Hubzilla Development+
Mario Vavti
  
@neue medienordnung plus the observer tag has nothing to do with permissions or protection as you call it.

observer=1 content will be visible to any authenticated channel and/or guest token allowed to see the content (in terms of is allowed to view your webpage from the acl).

observer=0 content will be visible to any not authenticated viewer.

observer=0/1 basically only works with public content since we need to be authenticated to see restricted content. So any channel viewing restricted content will always see the content of observer=1.
neue medienordnung plus
  
@Mike Macgirvin: Thank you for the detailed answer. I mean, this hack
All somebody has to do is "view source" and they can see whatever it is you're trying to hide.
is not suitable for viewing of with [observer=0/1][/observer] hided content. Can you see, what I hided in this demopage  https://hub.libranet.de/page/wallzilla/vertrauliche-inhalte-freigeben-demoseite_de :-)?

I mean, that without the opportunity "access control at the paragraph level" is it for developer of hubzilla apps very difficult, attractive (killer) hubzilla app to develop.
neue medienordnung plus
  
OK, is my fallacy. And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?

It's me
 
I think this flies in the face of conventional wisdom for security. Instead, the new hub should make a request to the old hub, and the user should have to go to the old hub and accept the request to clone the channel, perhaps also providing email + password for security.
Andrew Manning
  
Also it is possible to import the channel using a channel data file exported from the original hub. The original hub does not even need to be online when you upload the file to the new hub.
It's me
  
sorry if this came across aggressively heh
Mike Macgirvin
  
Not at all.

Andrew Manning
  last edited: Wed, 04 May 2016 06:21:28 -0400  
There is a serious #vulnerability in #ImageMagick (CVE-2016–3714), which is image processing software used on many hubs. Until this issue is resolved and patched, I recommend people follow Mike's suggestion to disable its use in Hubzilla using the hidden config:

cd /path/to/hubzilla/root/
util/config system ignore_imagick 1

ImageTragick

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild. A number of image processing plugins depend on the ImageMagick library, i...


@Channel One+
Waitman Gobble
  last edited: Sat, 07 May 2016 01:04:07 -0400  
Thanks for posting, I've been hella busy this week and just read about the issue with ImageMagick
I also temporarily added a jpeg check in
include/api.php
include/attach.php
include/photos.php
There's reportedly a way to mitigate using policy.xml in ImageMagick but i've not time to research at the moment.
Raymond Monret
  last edited: Sun, 08 May 2016 11:44:39 -0400  
Here is the mitigation. IM should be patched within a few days.

ImageMagick Security Issue - ImageMagick
We have recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system. The ImageMagick policy was developed many years ago to help prevent possible exploits and is discussed here: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=26801. To preve...
Mike Macgirvin
  
In Hubzilla the only functional advantage Imagick has over GD is that it lets you scale animated GIFs.