CMS MADE SIMPLE FORGE

TinyMCE

 

[#12308] Caching admin keys in js file makes session break

avatar
Created By: Ruud van der Velden (ruudvdvelden)
Date Submitted: Mon May 11 11:14:55 -0400 2020

Assigned To: Morten Poulsen (silmarillion)
Version: 3.3.1
CMSMS Version: 2.2.14
Severity: Major
Resolution: Accepted
State: Closed
Summary:
Caching admin keys in js file makes session break
Detailed Description:
Seems TinyMCE is Smarty processing and caching the
modules\MicroTiny\templates\tinymce_config.js file. Which results in a cached
file with secret information in e.g. the linker_url and linker_autocomplete_url

Beside this may be a security issue (didn't research) this makes under certain
circumstances the module breaking the admin user session.

Reproduce:
Login as admin user.
Clear cache of CMSMS
Write down the security key in the admin url of the browser (__c parameter)
Edit a content page with TinyMCE wysiwyg editor
Open 'Create a link to a content page' dialog. 
Type a part of the page name until a result is displayed
Cancel everything and logout of CMSMS admin panel

Login using the same admin user
Write down the security key in the admin url of the browser (__c parameter)
Edit a content page with TinyMCE wysiwyg editor
Open 'Create a link to a content page' dialog. 
Type a part of the page name and note no result is displayed

Cancel everything - also editing of the page - and note your session is broken
(logged out automatically)


Check the CMSMS cache for the tmp/cache/tinymce_[xxx].js file and check the
linker_url and linker_autocomplete_url. Compare the value of the __c parameter
with the ones written down earlier.
In my case this value didn't match the value from the second login.

example:
http://localhost/cmsms2214/tmp/cache/tinymce_815b2f1c700c088ff67b1685b3fa75a1.js

Orginal file:
modules\MicroTiny\templates\tinymce_config.js

modules\MicroTiny\lib\class.microtiny_utils.php link 139 start the use of this
'template'


History

Comments
avatar
Date: 2020-05-11 14:19
Posted By: Chris Taylor (chrisbt)

tested and failed exactly as stated

awesome effort tracking that down Veldon :)
      
avatar
Date: 2020-05-11 17:26
Posted By: Franck (knarf)

Confirmed.
      
avatar
Date: 2020-05-12 06:23
Posted By: Tristan (tristan)

Tested as well, can confirm!
      
avatar
Date: 2020-05-12 15:47
Posted By: Ruud van der Velden (ruudvdvelden)

Seems I was wrong about location of code.

Problem is in modules\TinyMCE\TinyMCE.module.php line 132
Return value of session_id() is NOT unique for a CMSMS session but for a BROWSER
session. As browser sessions nowadays are rather persistent (even closing a
browser with open tabs can result in the session being resumed when the browser
is started again) the function session_id() is not suitable for this purpose.
Also, if a user doesn't close his browser at all between logoff and login the
session will be the same.

Possibly - for admin requests - $_SESSION[CMS_USER_KEY] could help solving this
problem.



      
avatar
Date: 2020-05-28 14:57
Posted By: Morten Poulsen (silmarillion)

Fixed in svn as suggested by Velden. Thank you!
      
Updates

Updated: 2020-05-28 14:57
resolution_id: 5 => 6
assigned_to_id: 100 => 113
state: Open => Closed

Updated: 2020-05-12 15:47
resolution_id: => 5