I have disabled guest comments posting , allowed only registered users to post comments and I have removed the add comment permission from the everybody group, but I am still getting spam by a guest poster. How is this possible?
Gallery version = 2.2.1 core 1.2.0.1
PHP version = 4.4.4 apache
Webserver = Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Database = mysql 4.0.27-standard, lock.system=flock
Toolkits = LinkItemToolkit, Gd, Thumbnail
Acceleration = none, none
Operating system = Linux
Default theme = matrix
gettext = enabled
Locale = en_US
Browser = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Media Center PC 4.0; Crazy Browser 2.0.1)
Rows in GalleryAccessMap table = 637
Rows in GalleryAccessSubscriberMap table = 6426
Rows in GalleryUser table = 26
Rows in GalleryItem table = 6422
Rows in GalleryAlbumItem table = 173
Rows in GalleryCacheMap table = 0
Posts: 32509
Merira
Probably you didn't remove the add comment permission from all albums / items.
Which item has a new spam comment?
Browse to that item and on the page of that item, click on "edit permissions."
What permissions does that item have?
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 32509
And please verify that you didn't add the guest user to the "registered users" or to the site admin group.
the guest user should only be in the "everybody" group.
you can check this at site admin -> groups.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
Probably you didn't remove the add comment permission from all albums / items. I did the time it was added was after I fixed the settings
Which item has a new spam comment? The Overall Album
What permissions does that item have?
Registered Users [comment] Add comments
Moderators [core] Edit item
Moderators [comment] Edit comments
Moderators [comment] Delete comments
Everybody [core] View all versions
Everybody [comment] View comments
Site Admins All access
And please verify that you didn't add the guest user to the "registered users" or to the site admin group. No Guest is not an admin or moderator just a user
the guest user should only be in the "everybody" group. It is not and When I tried adding Guest I got this message 'You cannot edit that group's users'
Posts: 32509
looking at the code, it seems to be pretty impossible to post a comment unless you have the permission to add one.
thus i must assume that something's odd in your settings or your setup.
is your g2 embedded/integrated?
>> Which item has a new spam comment?
> The Overall Album
please post a link to that item / album
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
is your g2 embedded/integrated? No
please post a link to that item / album
http://www.trinbagopan.com/gallery2/main.php
Recent comments to the bottom, I left the Spam
Posts: 32509
Thanks.
I looked at the code and although it says (guest), it could be a comment by one of your registered users that tricked the UI.
In your database, please the the commenterId value in the g2_Comment table.
select g_commenterId from g2_Comment where g_id = 18260;
and
select c.g_commenterId, u.g_userName from g2_Comment c, g2_User u where g_id = 18260 and c.g_commenterId = u.g_id;
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
UI = User Id?
In your database, please the the commenterId value in the g2_Comment table.
select g_commenterId from g2_Comment where g_id = 18260;
What does that mean?
Once I get this info what am I doing to prevent it in the future?
I this a bug or security violation?
Posts: 32509
UI = user interface (the g2 pages)
> What does that mean?
i assume you have phpmyadmin or another tool to administer / manage the database for your website. that's usually part of cPanel, or whatever too you use to administer / manage your domain / website.
in phpmyadmin, please execute the 2 SQL queries i wrote down in my previous post.
it should return a result for that SQL query which i'm interested in.
> Once I get this info what am I doing to prevent it in the future?
you and i are just finding out what's going on. it's too early to draw any conclusions and i haven't seen a bug / security issue yet.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
These are the results I got....
select g_commenterId from g2_Comment where g_id = 18260;
g_commenterId 5
select c.g_commenterId, u.g_userName from g2_Comment c, g2_User u where g_id = 18260 and c.g_commenterId = u.g_id;
Error
SQL query:
SELECT c.g_commenterId, u.g_userName
FROM g2_Comment c, g2_User u
WHERE g_id =18260
AND c.g_commenterId = u.g_id
LIMIT 0 , 30
MySQL said:
#1052 - Column: 'g_id' in where clause is ambiguous
Posts: 32509
ok, don't need the second query. id 5 is the guest user.
so the comment is indeed by a guest user.
do you trust all your site admins and moderators?
they could add a comment and change the comment-user afterwards to guest...
and are you 100% sure that the comment was added after you removed the "add comment" permission from the guest user?
please also post the results of:
select g_groupId from g2_UserGroupMap where g_userId = 5;
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
do you trust all your site admins and moderators? yes
and are you 100% sure that the comment was added after you removed the "add comment" permission from the guest user? yes
please also post the results of:
select g_groupId from g2_UserGroupMap where g_userId = 5;
g_groupId 4
Posts: 32509
ok, so the guest user is indeed just a user of the everybody group. good.
please delete the comment, change your apache access logging settings to log GET and POST parameters (usually it logs only GET) and see if it happens again.
if it happens again, verify that the commented g2 item has no "add comment" permissions for the guest user or the everybody group and check the timestamp. with the timestamp, check the apache access logs to see the exact request that lead to the comment. (and maybe the requests before from the same origin IP).
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
Ok will let you know as soon as they come back
Posts: 17
Valiant, they posted the spam on the board again I have the info from the logs, Can I send it privately, it may have some info that I think should not be in the open?
Posts: 32509
Merira
Thanks for providing the apache access log entries.
But the logs don't include the POST params and since it seems that you're running PHP and mod_php and not as php-cgi, we can't log the full request (POST params) on the apache level.
Thus we have to log the requests in G2...
Please download the attached AddComment.zip, extract it and put the Addcomment.inc file into your modules/comment/ folder overwriting the original modules/comment/AddComment.inc file.
Also, please create a file "log.txt" in your gallery2/ folder and chmod it 777 (= change the permissions of gallery2/log.txt to world-writeable).
Delete again the existing spam comment and let's wait until another spam comment gets posted.
Once that happens, please send me the log.txt and the corresponding access log of the webserver. Also, please give me a larger snippet from the access log. it should include all requests 1 hour before and after the incident.
thanks.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
Done as requested.
Posts: 17
Spammed again here are the logs, password sent to you
http://www.trinbagopan.com/valiant/log.txt
http://www.trinbagopan.com/valiant/accesslogs.txt
Posts: 32509
Merira
- What's your session timeout? It's defined in site admin -> general.
- when (date & time) did you remove the "add comment" permission from the guest user / everybody group?
- please check the session creation time of the following sessions:
(queries sent via private message)
My current theory is that those guest-sessions have been created before you changed permissions.
We cache permissions in sessions and we don't delete those sessions when changing permissions.
We didn't consider it a bug, we know about it and the idea behind it is that the dirty parts of this permission cache would go away pretty quickly.
Looks like we'll have to reassess this assumption and maybe find a better solution.
But let's first wait for the results.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
Session Lifetime 3 weeks
Inactivity Timeout 1 week
Yes the sessions were there before I changed the permission.
Do I change it now?
Posts: 32509
Truncate the g2_SessionMap database table. (delete all rows of the g2_SessionMap database table)
I guess your case can be closed.
I'll discuss this issue with my fellow Gallery devs to see if and how we should address this.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 32509
Note: You can restore your original modules/comment/AddComment.inc again.
--------------
Documentation: Support / Troubleshooting | Installation, Upgrade, Configuration and Usage
Posts: 17
Thank you, I will keep you informed