Announcement

Collapse
No announcement yet.

Big security problem!!!!!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Upstream proxy server cache?

    Comment


    • #17
      I REALLY hope the developers are looking into this...

      http://www.vbulletin.com/forum/showthread.php?s=&threadid=15665

      Ed?

      With regards
      - TommyBALL
      MCP / MCSA / MCSE / MCT
      A few eggs short of a complete easter basket

      vB 4.0.5+ CMS (No hacks), Windows Server 2008 R2 Ent, IIS 7.5, PHP 5.3+ (FastCGI), WinCache, Memcached, MySQL 5.1.45

      Comment


      • #18
        Aha, an answer that applies to my situation finally comes out.

        I was using a link on my main page that pointed to /forum/vBulletin/index.php

        The problem was fixed by changing the link to /forum/vBulletin/index.php?s=

        I was having this problem because I use the bulletin board from work, and so does on of my co-workers, so when I went to go log back in, it was telling me welcome back and using his name.

        Problem seems to be fixed now.

        Thanks for the help.

        Comment


        • #19
          Ok, how about this one? Account impersonation

          - I changed my account settings so that I was not using cookies to store the session id.

          - I went to the User's CP page: http://www.vbulletin.com/forum/usercp.php?

          and copied the url with the session id intact.

          - I emailed this url to my co-worker and had him click it.

          - He was then logged in as me (lusso) and could impersonate my account. I checked his cookie file and it got set to my userid and md5 encoded password. He could kill his browser and come back and he was still logged in as me.

          =================

          We do have a proxy server and we are using DHCP, which I believe means we have dynamic IP addresses. Does this make a difference?

          What is the best way to prevent this security problem? What are the compromises in doing so?

          Thanks for your help!

          Comment


          • #20
            Members on my board...

            .. are apparently able to read pm's due to this problem. I would love to know how to disable sessions entirely if there is no way of fixing it. Anyone?

            Comment


            • #21
              Re: Members on my board...

              Originally posted by Kayla
              .. are apparently able to read pm's due to this problem.
              Due to what problem and what do you mean by 'apparently?' AFAIK there is no way a member can read other member's PMs without having their password.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #22
                This is what I was told...

                .. when I asked around and I think this is how it is happening:



                OK... vBulletin isn't as stupid as that.

                Now... how it works.

                When you log in, vB sets a cookie that tracks who you are.
                EVERY page on the forum reads this cookie.
                It contains your user info.

                Now... when you try to access something... it checks your cookie to see if you're really allowed to.

                If not, you get a No Permission message.

                This person sent themselves a link to their own PMs. The system checks their identity and says "Well, this is bob, and he's trying to read Bob's PMs. So he's allowed".

                But if you tried clicking this same link... you would see No Permission.

                Kayla is not alowed to read Bob's PMs.

                Try it. Log in. Go read a random PM.

                Copy the address... it should be something like
                http://your.domain.here/board/priva...messageid=19795

                Now log out

                Try pasting that link into your browser and trying again.

                No Permission.

                Log in under a different name.

                Try pasting again. No permission.

                There is exactly ONE exception.

                Notice in the address there's a part...

                s=&blahblah

                s is your "session hash"

                This is a special 32 character long code that the vB uses to keep track of who you are if you are NOT using cookies.

                Most cookie users have it blank.

                BUT... if a link is sent with a session hash set...

                The forum will ignire the cookie
                And instead recognize them as the person the hash belongs to.

                After 15 minutes of non-use... it expires and doesn't work anymore.

                But if someone uses it more often than every 15 mins... it lasts.

                AND... by using that, a link CAN be sent that allows you to get into someone else's PM box... because the link will log you in as them!



                This is how my members stated they can read pm's. I have seen this issue raised here on VB many times. I don't think I am the only one.

                Comment


                • #23
                  The only way this could happen is if the person accessing another's PM had the exact same cookie on their computer. I suggest you test this out for yourself. Members cannot read other Members PMs without the corresponding password, whether it's in the cookie or they enter it manually. The sessionhash does not contain any password information.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography


                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                  Comment


                  • #24
                    Is there a way...

                    .. to get rid of sessions entirely?.. just use cookies?

                    Comment


                    • #25
                      Whoever told you the above is not correct. vBulletin uses your IP address in addition to the sessionhash - the sessionhash alone will not allow you to access somebody else's account.

                      You cannot 'disable' or 'get rid of' sessions or your forum won't work. What you can do is force your users to use cookies with their sessions instead of using the sessionhash. If you search these forums you should find instructions on how to do that.

                      Comment

                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      X