BUG: Reactions can be manipulated

Well, this was an interesting find. You can break the "Like" reactions. And erase Likes. I did it on

https://unacms.com/p/100-d-days-challenge

Look at likes and the emojis.

How to reproduce. Go to content with "Like" feature.

Long press (on mobile) and it brings up emojis. Choose anything but like. Open again (long press) select thumbs up (Like)

It will subtract a like, and ghost whatever emoji you had chosen.

Repeat.

Any emoji will add, the thumb up (like) will subtract one from the likes.

You end up with ghost reactions, no way to remove them, and the like button stops working for thumbs up.

As I said.... I demonstrated here, above link. This needs fixed ASAP.

100 D-Days Challenge

Replies (11)

· Wise

· 2024-05-12T07:29:03+0000
@Alex T⚜️ @Anton L @LeonidS watch video.
Please provide a patch. Thank you.

XRecorder_12052024_032254.mp4 4.2 MB
· LoneTreeLeaf

· 2024-05-14T10:14:42+0000
2 days this data manipulation bug was reported and not a thing has been done. Not even so much as an acknowledgement.
· Wise

· 2024-05-14T13:31:43+0000
Hello? Its been days. This is a bug in core functionality.
· LeonidS

· In reply to

LoneTreeLeaf

· 2024-05-14T19:49:27+0000
Hello @LoneTreeLeaf !
This trouble is under investigation by our team, but I prefer to respond with certain results. Just a little wait, please.
· LoneTreeLeaf

· In reply to

LeonidS

· 2024-05-14T22:15:29+0000
I understand that, but some form of acknowledgement that these issues your community, nay, your CUSTOMERS is reporting is at least being seen would be greatly appreciated, and I'm sure I'm not alone in that thought.
· Wise

· 2024-05-15T15:45:25+0000
Still awaiting git issue and fix.
· Wise

· 2024-05-20T21:30:17+0000
Bump.
P
· PetsNexxt

· 2024-05-21T15:02:06+0000
The bug has already been closed in git last week. #4719
· LeonidS

· In reply to

P

PetsNexxt

· 2024-05-21T18:59:45+0000
Hello @PetsNexxt !
Yes, thnx for the update about it :-) The link for the ticket is https://github.com/unacms/una/issues/4719
· Wise

· 2024-05-21T20:50:48+0000
Yes #4719 fixes it client side. But it still is able to be manipulated server side. I demonstrated by continuing to do so on above UNA page. People who want to do harm to sites, especially if you get to the point you are having decent size daily hits, script kiddie hackers look for ways to manipulate everything. My team found this easily, because the mechanism relies on JavaScript, with no server side checks. I can still easily manipulate reactions by sending the calls manually.
I just took the UNA one up to 20 angry faces.
I know at times I can be over zealous, but I mean well. I get frustrated when I can't find something, because I'm not a vet UNA developer. And although php is very simple, I spent last 10 years with my nose in java and android development. I'm readjusting. And I don't mean to sound negative, I just understand that a site that gets any popularity will also get the attention of those trying to hack in any way they can to disrupt site function. I know this because on my team I have a kid who does this regularly, server penetration and website vulnerability testing. That is not my area of expertise. 😉
I would suggest a check server side.
@LeonidS @PetsNexxt thank you for your responses. 😁👍
· LeonidS

· In reply to

Wise

· 2024-05-23T09:47:31+0000
@Anton L has added improvements today.