Announcement

Collapse
No announcement yet.

Big security problem!!!!!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Big security problem!!!!!!

    I get this post om my board:

    OK... this is very interesting.

    This is the first time I've been to your board, so I tried to register. Upon clicking the registration link, I was told that,

    "Our records show that you have already registered at this board under the name of SKHitman. If you have lost your password, click here. If you would like to modify your profile, click here. "

    Just wanted to letcha know that while I have NO CLUE who or what an SKHitman is, it has let me in with his account. This is a big security hole for you guyz, and I would start requiring users to login. I am behind a firewall, so it is somehow possible that you checked my IP and identified it with an existing members, but I sincerely doubt it. No one else here would have hit your board, so I would definately check this out and find out why it's happening.

    I have not changed any of this accounts profile settings or passwords. I have no mal-intent here and wish you guyz the best. I will register for a new account when the feature becomes available to me.


    Any clues???

  • #2
    Help please... i get this message from 3 members now...

    Comment


    • #3
      The only way he would get this message is if he's on a computer with a cookie SKHitman left behind.

      This would be if they're both connecting from the same office, whereby cookies are stored on a main terminal; or they're both connecting from the same university computer, etc.

      There is nothing you can do about it other than to educate your users that they should not use cookies on public terminals.

      Otherwise, it's the same as going into your home and using your computer.

      Comment


      • #4
        I've been getting this from a lot of members. At first it was a group from Australia and New Zealand, using the same ISP. Two are on a school network, so that explains that problem, but not the rest.

        Now it has started showing up in England by NTL users. This really scares me as most of our members are in the UK and a huge portion of them are on NTL. These members are not sharing computers. There was a post a while back that described the problem in the UK on the Freeserve ISP which is huge.

        I'm worried.

        Comment


        • #5
          i've had users reporting this problem to me - that they go to the board and discover they are logged in as another user ...
          this is pretty serious, i hope you guys look into it.

          Comment


          • #6
            Brooklyn, we have a lot of the same members on our forums. I see you are using RC2 and still getting this problem? I was just getting ready to upgrade hoping this would fix it, we are still on 2.3.

            I'm not sure if there was every any official word on this situation, it's been going on for a long time. Does anyone know?

            Comment


            • #7
              Hi grumpy

              I think something similair's been discussed here earlier. The problem seems to stem from users using non-cookie (url) sessions, while at the same time sufing through a proxy-server. It seems the proxy-servers are handlig things a little wierd, so sometimes one user gets the link from another user (using the same proxy-server). The best way to avoid this problem is to enter the user cp -> Edit Options and set Browse board with cookies? to yes

              I believe this will solve the users problem. I myself have set the option to yes for all my users, and changed the template to make this the default for new users as well.

              The advice of the day then, is: If you "surf" through a proxy, use cookies for sessions.

              I hope this solves your problem!

              With regards
              - TommyBALL
              MCP / MCSA / MCSE / MCT
              A few eggs short of a complete easter basket

              vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45

              Comment


              • #8
                Thanks for the reply, Tommy Unfortunately, this isn't helping. We had set ours to default to 'yes' for both Browse with Cookies and Remember Login. I just checked 8 accounts of people that have complained of this problem, and all 8 still show 'yes' as checked. There has to be something else going on here

                Comment


                • #9
                  Sorry to hear that...

                  Well. I have another farfetched idea .

                  Have you noticed that when you do a login (at the bottom of the frontpage), the session is contained in the URL when the frontpage comes up (even if you have Browse board with cookies? set to yes). All other links on the page is of course without the session-id in the url. (The same thing goes for the Admin area). This url would of course be saved in the proxy-server-cache. Another user entering the fronpage through the same proxy-server, would then have a theoretical chance of getting YOUR url (with YOUR session-id).

                  So setting Browse board with cookies? to yes, won't help you at all .

                  As I write this, it in fact seems more and more like a very logical thing. And I agree that this IS a security-problem.

                  I know that this is not something that's supposed to happen with a proxy-server, but there are really quite a few 'bad' (or badly configured) proxy-servers out there.

                  I know you developers are very busy at the moment (readying the 2.0 release), but I think it's really important that you comment on this.

                  You are of course welcome to stomp all over my reasoning, and tell me I'm wrong . But I feel quite strongly that you should in some way comment on our worries!

                  With regards
                  - TommyBALL

                  PS! I don't mean to gripe, but I really dislike worrying about things like this. Especially since I'm a security consultant .
                  Last edited by TommyBALL; Fri 4th May '01, 2:47pm.
                  MCP / MCSA / MCSE / MCT
                  A few eggs short of a complete easter basket

                  vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45

                  Comment


                  • #10
                    My Experience:

                    - You NEVER get logged in as someone else. All you are seeing it their cached pages (by over keen proxy servers)
                    - The most common pages this happens on are index.php and private.php (email links)
                    - Making people browse with SESSIONS IN THE URL helps. You get the wrong index.php page say, (the cached version), click a link (with s= in it) the server realises that the session is wrong and makes you a new one.

                    Way this can be flawed:

                    - two people, on same ip (behind proxy) and same settings (not sure what checks they use but OS i would imagine etc..) then you might log in as someone else if you get their sessionid but i have never had it happen.

                    Solution for all this, turn on "no cache" headers inside the admin control panel. Adds server load but you never get the problem again.

                    Remember, all my experience.
                    Christopher Padfield
                    Web Based Helpdesk
                    DeskPRO v3.0.3 Released - Download Demo Now!

                    Comment


                    • #11
                      Are we talking MUCH of a server load? We're really pushing things to the max as it is.


                      Also, I don't think anyone experienced this until vB 2. Can't they change whatever it is in this version so it doesn't happen again?
                      Last edited by grumpy; Fri 4th May '01, 3:44pm.

                      Comment


                      • #12
                        Thanks for your input chrispadfield. It was valuable. I'm quite new at PHP, but I've done quite a bit of coding in other lang's through the years. I'll give a shot at trying to figure out the session-logic, allthough I'll expect Ed to stomp on my reasoning any hour now .

                        With regards
                        - TommyBALL
                        MCP / MCSA / MCSE / MCT
                        A few eggs short of a complete easter basket

                        vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45

                        Comment


                        • #13
                          Originally posted by grumpy
                          Are we talking MUCH of a server load? We're really pushing things to the max as it is.


                          Also, I don't think anyone experienced this until vB 2. Can't they change whatever it is in this version so it doesn't happen again?
                          don't know, my server load is very high for the user i have on but that is almost certainly because i have an old version of vb installed probably without proper indexes at all because i came from the alpha version.
                          Christopher Padfield
                          Web Based Helpdesk
                          DeskPRO v3.0.3 Released - Download Demo Now!

                          Comment


                          • #14
                            Chris is 100% right on all counts

                            And the server load, using no-cache, can increase by 33% on average per the BB load.

                            Comment


                            • #15
                              Originally posted by bira
                              Chris is 100% right on all counts

                              And the server load, using no-cache, can increase by 33% on average per the BB load.
                              hehe.. it took a few monster threads between us to work this out though.. lol.
                              Christopher Padfield
                              Web Based Helpdesk
                              DeskPRO v3.0.3 Released - Download Demo Now!

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X