Announcement

Collapse
No announcement yet.

Possible EXTREMELY large security hole

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Here's my update:

    For Version 2.0.0 beta 2
    IE 5.5
    server:
    Server Speed : 900Mhz
    Server Memory: 512mb
    RedHat Linux Version: 6.22
    Redundant OC-3 / OC-12 Lines: yes
    Redundant Power Backup: yes
    PHP 4.01 W/ Zend Optimizer
    Mysql 3.23.24
    HOST: HostRocket.com


    Setting both:
    1) Automatically login when you return to the site? (Uses cookies)
    2) Browse board with cookies

    To 'YES' every thing works fine for Proxy and non-Proxy users.
    But when logout vB does not erase the data in the [session] table
    So that’s why you will still see the logged out names in the logged in users in the index.php.
    ------------------------------------------------------------------------

    Setting both:
    1) Automatically login when you return to the site? (Uses cookies)
    2) Browse board with cookies

    To 'No' works for both Proxy and non Proxy users but a bit annoying the user must login every time he posts a thread or a reply and some times he can't enter his user cp!

    ------------------------------------------------------------------------

    Setting:
    1) Automatically login when you return to the site? (Uses cookies)
    To 'Yes'

    2) Browse board with cookies
    To 'NO'

    The Proxy user can't post anything and a vB message tells him to register!
    For normal users it works fine
    ------------------------------------------------------------------------

    Setting:
    1) Automatically login when you return to the site? (Uses cookies)
    To 'NO'

    2) Browse board with cookies
    To 'YES'

    For proxy users it will sometimes be a tragedy
    Welcome message is logged for anther user!
    You can (((SOMTIMES))) go to the other users CP (the one you got the welcome message for )

    I think it's because the Forum identifies the user with his IP address... and that’s the problem.
    PROXY users have the same IP!!

    So I think given two options for the PROXY user:
    1) Automatically login when you return to the site? (Uses cookies)
    2) Browse board with cookies

    IS WRONG!
    Those two options need to be merged for those users.
    And fixing the [Session] table so all the user’s data get erased when he loges out!!

    Anatolia
    p.s. still testing
    Last edited by Anatolia; Thu 8 Mar '01, 10:08am.

    Comment


    • #47
      Re: Here's my update:

      Originally posted by Anatolia
      Setting both:
      1) Automatically login when you return to the site? (Uses cookies)
      2) Browse board with cookies

      To 'YES' every thing works fine for Proxy and non-Proxy users.
      But when logout vB does not erase the data in the [session] table
      So that’s why you will still see the logged out names in the logged in users in the index.php.
      ------------------------------------------------------------------------

      Setting both:
      1) Automatically login when you return to the site? (Uses cookies)
      2) Browse board with cookies

      To 'No' works for both Proxy and non Proxy users but a bit annoying the user must login every time he posts a thread or a reply and some times he can't enter his user cp!

      ------------------------------------------------------------------------

      Setting:
      1) Automatically login when you return to the site? (Uses cookies)
      To 'Yes'

      2) Browse board with cookies
      To 'NO'

      The Proxy user can't post anything and a vB message tells him to register!
      For normal users it works fine
      ------------------------------------------------------------------------

      Setting:
      1) Automatically login when you return to the site? (Uses cookies)
      To 'NO'

      2) Browse board with cookies
      To 'YES'

      For proxy user will be sometimes like a tragedy
      Welcome message is logged for other user!
      You can (((SOMTIMES))) go to the other users CP (the one you got the welcome message for )

      I think it's because the Forum identifies the user with his IP address... and that’s the problem.
      PROXY users have the same IP!!

      So I think given two options for the PROXY user:
      1) Automatically login when you return to the site? (Uses cookies)
      2) Browse board with cookies

      IS WRONG!
      Those two options need to be merged for those users.
      And fixing the [Session] table so all the user’s data get erased when he loges out!!

      Anatolia
      p.s. still testing
      woah ... that was kind confusing in a good way

      we need to be able to switch those 2 settings on and off for all members via the control panel - i'l rather have to make my members use a cookie than the alternative possible security problem
      :: Always Back Up Forum Database + Attachments BEFORE upgrading !
      :: Nginx SPDY SSL - World Flags Demo [video results]
      :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

      Comment


      • #48
        anything new in this issue?? this is really scary

        Comment


        • #49
          You need to update to beta 3 and then let us know if you still have problems.

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X