FS#212 Security Breach when trying to register with closed register option

Security

• 

  2005-03-23

  Security Breach in Closing Registering
  
  I closed the registration of Wiki from options (openregister=0). Then, as a public (non-user) I tried in the browse the url that Wiki uses for registration (http://example.com/dokuwiki/doku.php?do=register&id=start). It won't allow registration but displays the secure content of start page, while in ACL configuration file I defined no access to start for public (It respect the rule (no displaying) in normal situations and nobody is able to see the content of first page). Given this bug, anyone can nevigate all Wiki by gradually learning the name of the pages and trying them in the url with 'do=register'!!!!
  
  Please fix this (checking the ACL when do=register for displaying any page).
  
  Cheers,
  Hamid (hamid_m79@yahoo.com)
  
  -------------------------
  
  QUICKFIX-SOLUTION placed here until I figure out how to make comments publically available....
  
  You're right. As a hotfix: Users who disabled openregister should remove 'register' from the array in the permission check (Around line 116 in doku.php).
  
  So change the line from
  
  }elseif(in_array($ACT,array('login','register','search','recent'))){
  
  to
  
  }elseif(in_array($ACT,array('login','search','recent'))){
  
  
  
  
• 

  2005-03-23 andi

  You're right. As a hotfix: Users who disabled openregister should remove 'register' from the array in the permission check (Around line 116 in doku.php).
  
  So change the line from
  
   }elseif(in_array($ACT,array('login','register','search','recent'))){
  
  to
  
   }elseif(in_array($ACT,array('login','search','recent'))){
  
  
• 

  2005-03-23 RobM

  The comment above is only readable by logged-in users. I just created an account to submit my own patch, and found the above comment.
  
  Ideally it ought to be publically viewable!
• 

  2005-03-23 RobM

  My own bugfix for this is as follows:
  
  In /doku.php, find:
  
     }elseif($ACT == 'register' && $conf['openregister']){
       html_register();
  
  and replace it with:
  
     }elseif($ACT == 'register'){
       if($conf['openregister']){
         html_register();
       }else{
         print parsedLocale('noregister');
       }
  
  Now you just need to create the message you'd like displayed when users try to register when openregister is disabled bu placing a new file called "noregister.txt" in /lang/en/ (substituting en for your own language).
  
  For your convenience, my own noregister.txt looks like this:
  
  ====== Registering as a new user has been disabled ======
  
  Creating new acounts has been disabled. If you feel this is an error, or that
  you still want an account, please contact the webmaster.
  
• 

  2005-03-23 mjakl

  Hm I guess its not that easy. I have openregister enabled, but some pages are only visible to people within a specific group, when I'm not logged in and append &do=register to one of these pages I can see the contents - not the login page.
  
  Michael
• 

  2005-03-23 mjakl

  Argh - no! Sorry forget my previous comment - I don't have openregister enabled...
• 

  2005-04-24 andi

  fixed in devel, evryone else should use the quickfix below