No announcement yet.

Possible EXTREMELY large security hole

  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible EXTREMELY large security hole

    A member posted this at my board, and someone else was asking "Why they could read other peoples PM's" the other day. We just upgraded to vB2.0 beta 2:

    every time i login, i seem to get in as a different member, sometime it goes away when i try to get in to the staff section, but sometimes it doesn't let me in into the staff forums either, and i have to login manually.

    now this is not only annoying, but also quite dangerous

    check it out. this could be a serious one!

    btw, upto now i somehow logged in as "blue madcat" and "comander bla"
    Is this a bug? Is there a fix? We have many private forums, with sensitive information in them meant only for the group of users that have access to them. I dont want people to accidentially get access to them.

    Even worse, would be if they got in as a admin. They could do whatever they wanted, delete posts..... anything!

  • #2
    This was posted by the user "anwar". He does not know blue MADCAT's password. I am sure of that one, because he is a mod, and wouldnt go around trying to steal users passwords.

    this shows proof of how he logged in as him. he did not try to, but it just came up when he had his own cookie.


    • #3
      I was able to log in as a different user on these forums in beta1, i emailed john about it, never found out what exactly happend... i thought it was fixed, or was a one time fluke, guess not


      • #4
        Well this should be fixed ASAP

        If it isnt, is there a downgrade script, that will let me go from 2.0 back down to 1.1.5, cuz I cannot have this even as a possibility on my forum?


        • #5
          I've already logged in as another user as well at SitePointForums as well. I contacted Wayne, though. Here are some screenshots: Amusing it certainly was, but I didn't post.

          Nicky, please don't get angry at me! (I've also logged in as Karl, but I don't have screenshots. Again, please don't get angry at me.)


          • #6

            I know you have seen this post, cuz ur replying to others here.

            Plz reply w/ SOME sort of response to this one.


            • #7
              Oh, I'll just add that I really don't know how it happened. I simply logged in one day, and I was Karl. The next day I was Nicky, then after a while I logged out and logged back in as me, pedro_gb. Don't know how it happened.

              Actually, I remember that it wouldn't log me out, whatever I tried (using the website). The only way I managed to log out was by deleting the cookie. Very strange.


              • #8
                What do you want me to say?

                I can't say it's fixed, because I've found it impossible to reproduce and I don't see what would be causing it. I have made some code changes though, but who knows at this point.


                • #9

                  sorry ed. your right. my bad.


                  • #10
                    I guess the major threat is if someone happens to find themselves logged in as a moderator, or worse yet - an administrator. How many would resist taking advantage of that situation?


                    • #11
                      Well, what I have done at my forum, which I HIGHLY suggest doing - is adding .htaccess to /forum/admin

                      So that way if somehow a user gets an admin password, they would still have to get past the .htaccess password, which is 15 letters long with numbers and letters..


                      • #12
                        I have a Windows 2000 Advanced server, Would I just make the forums a frontpage web and make a password or can I use .htaccess? If I can use .htaccess can someone please tell me how to set it up?


                        • #13
                          This is an issue for 1.15 as well. I email John about it last week (and got no reply yet).

                          Maybe this is how webhostingtalk was hacked?

                          Red Alert, Red Alert.

                          This is very upsetting. John, can you please tell us you are working on this?



                          • #14
                            i think .htaccess is a linux only thing.


                            • #15
                              I don't know if this applies but the other day one of my moderators had his account used by someone else who managed to do some damage before we locked the account.

                              Obviously this is a concern that I hope you can reproduce and fix if so.....




                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.