jobberBase dev blog

jobberBase is the open-source job board software
that helps you set up a jobsite in minutes!

Go ahead and Download jobberBase »

Security issue explained + FIX

Affected versions: 1.7, 1.8, 1.9
Not affected: latest (1.9.1) and older than 1.7 (I hope nobody’s still running them!).

The issue

In a nutshell: a typical API request, with data returned as “js”, the job publisher’s email address is revealed, as well as the secret “auth” hash used for editing/deleting jobs (without an account). A typical API request:
/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=100&response=js
e.g. http://www.jobberbase.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=100&response=js

Inside the jobs array/JSON, you’ll see that each job has 2 fields that shouldn’t be there: auth and poster_email.
*auth* is the auth string used in URLs for editing and deactivating job ads.
*poster_email* is the actual email address of the advertiser.

Bad.

The fix

In your _includes/class.Job.php:

a) Search for method ApiGetJobs. On line 501, there should be a while-loop after the big SELECT for jobs. Replace the contents in that while-loop with:
$current_job = new Job($row['id']);
$job = $current_job->GetInfo();
unset($job['poster_email']);
unset($job['auth']);
$jobs[] = $job;

b) Do the same for method ApiGetJobsByCompany (while-loop should be on line 541 after you made the change on 2a).

====

We’re sorry for not picking this up earlier and we hope your site wasn’t affected in any way by this breach.

If you have any further questions about this issue or other security concerns, please don’t hesitate to write back!

Category: Development, Knowledge Base

Tagged:

2 Responses

  1. [...] Later update: skip this and get the fix » [...]

  2. deco says:

    hi, you are fixing bugs,

    wonder that someone is selling your open source and earning money.

    http://www.truworthit.com/Products/job-board-software.php

    look what they are doing

    good luck

Leave a Reply





Always happy to hear from you!

Follow us on twitter @jobberbase
or email us at hello [at] jobberbase.com