Announcement

Collapse
No announcement yet.

Potential security problem

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Originally PMed by cosmos
    Finally understood the method expiration values are conveyed to the client after having a look at http://forums.animation-web.com/ :
    they are embedded in HTML, which is useless when proxies stand in the middle.

    A web proxy will not open an HTML file (like the output of forumdisplay.php or any other PHP vBulletin template) so it will never ever understand expiration values this way. The only acceptable method of conveying expiration information is to send the following HTTP fields within the head of the HTTP response and not within the body:

    Cache-Control: no-cache="set-cookie", must-revalidate, max-age=0
    Pragma: no-cache


    Even getright as a client or any proxy can understand this response, which affects caching of the document that follows in the HTTP (not HTML) body.
    Toddler from Hell

    Comment


    • #62
      But isn't this how the no cache headers ARE setup in vb? IE, the code is in the head, not the body.
      JTMON

      Comment


      • #63
        No...the <head> of an HTML document is not what he's talking about. He means the HTTP headers returned when you request a document from a server, not in the HTML at all.

        Comment


        • #64
          DOH! That's 2 for you Tubedogg!
          JTMON

          Comment


          • #65

            Comment


            • #66
              I'm just happy cosmos has the time to look into this. I don't, but we'll wear you down eventually.
              Toddler from Hell

              Comment


              • #67
                Fusion,

                I'm not sure if you've covered these already, but would you mind answering them again if you have:

                - do you browse with sessionhash in the URL or as a cookie?
                - do you have 'remember username and password' set to yes or no?
                - is it still an issue if you log out using the log out link
                - what proxies are there in between you and us?
                - is this just on vbulletin.com or on all vbulletin sites?

                Has anyone else been able to confirm this exact issue, or is it just you set up?

                Thanks,

                John
                John Percival

                Artificial intelligence usually beats real stupidity ;)

                Comment


                • #68
                  Originally posted by John
                  Has anyone else been able to confirm this exact issue, or is it just you set up?

                  Thanks,

                  John
                  Sorry John, but I work behind a heavy proxy server and have not experienced what he is experiencing. Even so much as visiting other vBulletin sites (including vbulletin.com and vbulletin.org).
                  There are only 10 types of people in the world: Those who understand binary, and those who don't

                  Comment


                  • #69
                    Originally posted by John
                    - do you browse with sessionhash in the URL or as a cookie?
                    URL
                    - do you have 'remember username and password' set to yes or no?
                    No
                    - is it still an issue if you log out using the log out link
                    Yes
                    - is this just on vbulletin.com or on all vbulletin sites?
                    All.

                    I'm not experiencing this problem but he already answered all of these questions.

                    Comment


                    • #70
                      I am behind a proxy and I have tried for about 30 mins now to re-produce the error, and I haven't been able to.
                      Board of the Month: November
                      Websites: Pixeljunction , vBulletin.org
                      Button Sets: XP and Aqua Button sets! FREE!
                      vB Customization: My sig is now vbulletin compliant. Contact me to make yours compliant too!

                      Comment


                      • #71
                        Originally posted by Sinecure
                        I am behind a proxy and I have tried for about 30 mins now to re-produce the error, and I haven't been able to.

                        Maybe we need to disable the "access" to the browser as well on a WIN 2k machine (that means the browser cannot have the File > Edit > View > Favorites > Tools > Help bar) . ONLY the address bar and nav buttons.

                        Though I even went to my local library with a machine like it and haven't been able to recreate the problem there (librarian looked at me like I was trying to hack the damn thing)
                        There are only 10 types of people in the world: Those who understand binary, and those who don't

                        Comment


                        • #72
                          Originally posted by John
                          Fusion,

                          I'm not sure if you've covered these already, but would you mind answering them again if you have:

                          - do you browse with sessionhash in the URL or as a cookie?
                          It's when using the sessionhash
                          - do you have 'remember username and password' set to yes or no?
                          no
                          - is it still an issue if you log out using the log out link
                          no, then it's fine.
                          - what proxies are there in between you and us?
                          Microsoft Proxy Server 2.0
                          - is this just on vbulletin.com or on all vbulletin sites?
                          as far as I've been able to determine, it's all vB sites. I first saw it here then went and tested a few others, with the same exact result.
                          Has anyone else been able to confirm this exact issue, or is it just you set up?
                          robinchee started a similar thread which you might want to read. I've included a few more recent findings there.
                          Thanks,

                          John
                          Thanks for your time, John. I'm so sorry to cause this much headache for you lot.
                          Toddler from Hell

                          Comment


                          • #73
                            John thanks for granting reply priviliges!

                            tubedogg is correct, I'm talking about modifying the HTTP response sent back, which should not be big deal here, since avatar.php already does it (although it shouldn't)..

                            I have posted my response in http://vbulletin.com/forum/showthrea...826#post209826

                            Always open for questions/comments...

                            Comment


                            • #74
                              Similar problem - help!

                              I was just alerted by users of a similar problem:
                              User A surfs with cookies, but without "remember username"
                              User B surfs with cookies, with "remember username" on

                              They work in the same organization and seem to use the same proxy. B was logged in and using the system, then quit without logging out.

                              A was on another computer on that net, opened my site and found that he was automatically logged in as user B! He could access user settings etc.

                              Serious security problem of course! User B threatens to sue.... Does the fix outlined here solve this problem you think?

                              Update: this is also a MSProxy! I bet it caches documents with setcookie-header intact and serves it to other users. The cache buster lines should help - I'd add them in the vbsetcookie() function so they are always added whenever a cookie is set.
                              Last edited by clindh; Thu 7th Feb '02, 7:06am.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X