Announcement

Collapse
No announcement yet.

Rash of password resets not working?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Cookie domain is: .myweb.co.uk
    Cookie path is: /
    Cookie prefix is: fun
    running 3.8.4 Patch Level 2.

    Comment


    • #32
      Originally posted by jimjam View Post
      Cookie domain is: .myweb.co.uk
      Cookie path is: /
      Cookie prefix is: fun
      running 3.8.4 Patch Level 2.
      You didn't say what your forum URL was. Is your cookie domain something you changed recently? Messing with cookie settings are dangerous, a few releases changed how cookies, and passwords were delt with for security reasons. Are you also experiencing what your users are? Can you upgrade to 3.8.5?

      Comment


      • #33
        Originally posted by Zachery View Post
        ...a few releases changed how cookies, and passwords were delt with for security reasons.
        Which versions were they changed in?

        Was it changed after 3.8.3 PL1?

        edit:

        Was this what happened? 3.8.4 PL2?

        I found this for 3.8.4 PL2, I also saw the 3.8.4 PL1 release last october that fixed an XSS flaw:

        vBulletin 4.0.0 PL1 / 3.8.4 PL2 / 3.7.6 PL2

        An exploit in our input validation has recently been discovered. This could allow a brute force attack to comprise and spoof input data for a given user. To resolve this issue, it is necessary to release a patch level version of the active versions of vBulletin.

        The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
        Last edited by Abomination; Wed 21st Apr '10, 12:38pm.

        Comment


        • #34
          I found the answer, in a thread Zack closed LINK, yes these types of things started with 3.8.4 PL2.

          These are the types of things that happen on vb.com that are driving me away from the software. I am tired of this BS. That is on top of all the other issues the company has.

          I am NOT happy at the moment.

          Originally posted by Abomination View Post
          Which versions were they changed in?

          Was it changed after 3.8.3 PL1?

          edit:

          Was this what happened? 3.8.4 PL2?

          I found this for 3.8.4 PL2, I also saw the 3.8.4 PL1 release last october that fixed an XSS flaw:

          vBulletin 4.0.0 PL1 / 3.8.4 PL2 / 3.7.6 PL2

          An exploit in our input validation has recently been discovered. This could allow a brute force attack to comprise and spoof input data for a given user. To resolve this issue, it is necessary to release a patch level version of the active versions of vBulletin.

          The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

          Comment


          • #35
            We had two options, fix the security issue, or leave it open.

            Comment


            • #36
              Originally posted by Abomination View Post
              I found the answer, in a thread Zack closed LINK, yes these types of things started with 3.8.4 PL2.
              So, you didn't run the salt refreshing script when you upgraded?

              The 'answer' can be found in several threads, including the announcement threads for the updates.
              My Live vB5 Site - NZEating.com
              vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

              Comment


              • #37
                Originally posted by Ace View Post
                So, you didn't run the salt refreshing script when you upgraded?

                The 'answer' can be found in several threads, including the announcement threads for the updates.
                We are still using vb3.8.4 PL1

                Comment


                • #38
                  Originally posted by Zachery View Post
                  You didn't say what your forum URL was. Is your cookie domain something you changed recently? Messing with cookie settings are dangerous, a few releases changed how cookies, and passwords were delt with for security reasons. Are you also experiencing what your users are? Can you upgrade to 3.8.5?
                  Hi Zachary, I've not changed anything, apart from upgrade to patch level 2. No I have not yet experienced having my password rejected, but plenty of savvy members have and the reset just does not work. I have not messed with cookie settings, I changed the prefix from vb to fun on advice after installing 3.8.4 when we had LOTS of login problems, but that's all.

                  Its a tough one because its intermittent, I cannot see a pattern to it, it seems random but its happening a LOT and its a pain.

                  Comment


                  • #39
                    Originally posted by Zachery View Post
                    We had two options, fix the security issue, or leave it open.
                    You also had the option to answer the question I directly asked you. THAT is why I was, and still am, not happy.

                    Comment


                    • #40
                      Originally posted by Ace View Post
                      So, you didn't run the salt refreshing script when you upgraded?
                      Salt refreshing script? Where do I find this?
                      http://www.sticksports.com

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X