Announcement

Collapse
No announcement yet.

Security problem with 2.20??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by John
    I have just uploaded a new sessions.php file to this server to see if I might have found something. Can you test if the problem is still occuring.
    I'll let you know just as soon as I've had a chance to check from work.
    Also, you can only compare vBulletin with other pieces of software if that software offers a cookie-free option. I am not sure about Hotmail, but I am pretty sure you would not be able to log in if you did not have cookies turned on.

    It is the cookie-free option that seems to be creating this problem, I think.

    John
    Well, Hotmail's web-based mail reader has a special option for use on truly publicly accessible PCs, and that one uses a sessionhash completely void of cookies (I checked the PC), yet still is able to trap you on returning to the site without first logging out, and after an extended period of time. I even intentionally left the browser alive aiming to fool it.
    Toddler from Hell

    Comment


    • #17
      Originally posted by John
      It is the cookie-free option that seems to be creating this problem, I think.
      John, I had a look at the demo admin panel in the vBulletin site. The "no-cache" option offered there should not be an option at all, for the reasons outlined in my previous message. It is obvious that this way server load wil increase. Yet, choosing between a fast/incorrect and slow/correct implementation is not really a tough decision to make: correctness should always be the top priority.

      Furthermore, the no-cache switch sends Cache-control: no-cache directives. This is a "heavy" directive, since for most vBulletin scripts (cases 1-2 plus 3-4 and 6) caching should be allowed, but with a revalidation taking place. It defeats all proxy caching, while a must-revalidate, max-age=0 would have the same effect, without the side-effects.

      Comment


      • #18
        The no-cache setting currently in the Admin CP does not set the HTTP headers no-cache items that you suggest. It is just in the head of the HTML page. So that would not solve anything to force those. After the reaction to encrypted passwords, I'm not sure forcing anything in vBulletin is such a stellar idea. I personally don't want or need them as I have had no problems with this and really can't afford the extra bandwidth.

        Comment


        • #19
          Originally posted by tubedogg
          The no-cache setting currently in the Admin CP does not set the HTTP headers no-cache items that you suggest. It is just in the head of the HTML page. So that would not solve anything to force those. After the reaction to encrypted passwords, I'm not sure forcing anything in vBulletin is such a stellar idea. I personally don't want or need them as I have had no problems with this and really can't afford the extra bandwidth.
          Woudln't what he is describing be an issue in the way a server is setup instead of the program itself?

          Sorry, the ONLY no cache that I've run into is the way that Microsoft and tons of other programs have suggested. And I've never heard of the kind of implementation that Cosmos is suggesting.

          IS it an "html authoring" issue or is it a "server issue"
          He did not make that clear.
          There are only 10 types of people in the world: Those who understand binary, and those who don't

          Comment


          • #20
            No, using PHP's Header() function you can set HTTP headers, such as no-cache, etc. Supposedly these are the only ones that proxy servers will read and therefore react to; whereas right now, the no-cache META tags are not read by the proxy servers, because they are in the returned HTML, and therefore ignored.

            Comment


            • #21
              Originally posted by tubedogg
              The no-cache setting currently in the Admin CP does not set the HTTP headers no-cache items that you suggest.
              I am sorry Tubedogg, but this is not correct. After setting the "no-cache" option in the demo administration panel of vBulletin, I made a HTTP request using a command line utility, wget, to see what the HTTP response would like. The header of the HTTP (HTTP, not HTML) response did include Cache-Control: no-cache directives! You can check that by yourself.

              Woudln't what he is describing be an issue in the way a server is setup instead of the program itself?
              No WizyWyg, it is an issue of the code that generates the HTTP response, since that is the only one that understands exactly how the content of the page sent should be treated by clients/proxies with regard to caching/validation.

              Sorry, the ONLY no cache that I've run into is the way that Microsoft and tons of other programs have suggested. And I've never heard of the kind of implementation that Cosmos is suggesting.
              I understand. Don't take my word, just check the HTTP and cookies RFCs to see exactly how things should be done. Additionally, keep in mind that proxy servers in general adhere to these standards much better that any browser. Meaning that one should be conservative on "tuning" a program's HTTP dynamic output.

              IS it an "html authoring" issue or is it a "server issue"
              He did not make that clear.
              In this case, it is an entirely authoring issue. A "server" issue would be the following, especially if you use Apache to host vBulletin:
              I personally don't want or need them as I have had no problems with this and really can't afford the extra bandwidth.
              In understand and sympathise. Yet there are excellent ways that would enable you to counter bandwidth loss (due to the usage of correct Cache-Control/Pragma/Expires directives in vBulletin scripts): just make sure that all the small graphics files of vBulletin are checked very seldomly. This is what I have proposed to a vBulletin-operated site. If you are interested, please post a new thread somewhere and PM me with the location; I'll be more than happy to provide instructions and discuss the general motivation.

              No, using PHP's Header() function you can set HTTP headers, such as no-cache, etc.
              Correct.
              Supposedly these are the only ones that proxy servers will read and therefore react to; whereas right now, the no-cache META tags are not read by the proxy servers, because they are in the returned HTML, and therefore ignored.
              Correct, especially if one removes the bold term.

              You see, HTML was not defined by an Internet body, but rather by W3C. W3C HTML authors were really insightful on this by specifying that it would be recommended if clients used any expiration information embedded in HTML. It is W3C that produced one of the early web servers, the CERN one, that was able to produce extra HTTP headers since they had realized from the advent of HTTP 1.0 that although expiration could be inserted in HTML code, it was not a generic solution; GIF/JPEG and binary files in general could not be associated with expiration values like HTML (in META keywords). That is why Expires/Pragma HTTP fields were introduced in the first place.

              Comment


              • #22
                BTW, this is the HTTP response given by the demo forum at vbulletin.com, after one sets the no-cache directive in the control panel:


                HTTP/1.0 200 OK
                Date: Sun, 25 Nov 2001 10:26:05 GMT
                Server: Apache/1.3.20 (Unix) mod_gzip/1.3.19.1a PHP/4.0.6
                X-Powered-By: PHP/4.0.6
                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                Last-Modified: Sun, 25 Nov 2001 10:26:05GMT
                Cache-Control: no-cache, must-revalidate
                Pragma: no-cache

                Set-Cookie: sessionhash=d391b0d2c1fe9f54c44e937becb48987; path=/admindemo
                Set-Cookie: bblastvisit=1006683965; expires=Mon, 25-Nov-2002 10:26:05 GMT; path=/admindemo
                Content-Type: text/html

                I tried to access the board administration panel in this case. As you can see, Cache-Control directives are emitted within the HTTP head! It includes "Set-Cookie" fields too. So, an appropriate response would be the one of example (5) in a previous post of mine in this thread. Notice also that the expires header is missing. A semantically more correct approach (which would be in par with HTTP/Cookies RFCs), since the link above should be highly secured would be if the response would be like the following:

                HTTP/1.0 200 OK
                Date: Sun, 25 Nov 2001 10:26:05 GMT
                Server: Apache/1.3.20 (Unix) mod_gzip/1.3.19.1a PHP/4.0.6
                X-Powered-By: PHP/4.0.6
                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                Last-Modified: Sun, 25 Nov 2001 10:26:05GMT
                Cache-Control: no-store
                Pragma: no-cache
                Expires: Thu, 01 Jan 1970 00:00:00 GMT

                Set-Cookie: sessionhash=d391b0d2c1fe9f54c44e937becb48987; path=/admindemo
                Set-Cookie: bblastvisit=1006683965; expires=Mon, 25-Nov-2002 10:26:05 GMT; path=/admindemo
                Content-Type: text/html

                Comment


                • #23
                  Okay cosmos, since you haven't "shwn" exactly where to put it.

                  WHERE? do you put that command?

                  AND HOW do you make it work for "non" php pages? Cause I only have a problem with .html files caching behind a proxy, but I dont have problems with vbulletin.
                  There are only 10 types of people in the world: Those who understand binary, and those who don't

                  Comment


                  • #24
                    Originally posted by WizyWyg
                    WHERE? do you put that command?
                    Could you be a little more specific if you do not mind? Just quote my passage, since I have been talking about a number of issues here and I'm beginning to lose track of them?

                    Comment


                    • #25
                      The one you just posted above mine.

                      How do you run that "query" command or whatever you call it to affect the HTTP output instead of the "headers" output to control cache. Cause I can't find any documentation on it.

                      And how does this work for just plain .htm(l) files?

                      This is something I've never encountered while researching cache on the net (and the only answers i get is the pragma no cache settings for the headers)
                      There are only 10 types of people in the world: Those who understand binary, and those who don't

                      Comment


                      • #26
                        Sorry, it seems I've managed to confuse you, not my intention really.

                        The output above was taken by using wget, a command line HTTP/FTP sites. wget can be instructed with an -S switch to present the content of the HTTP head when retrieving URL. The one posted above was just the head of the HTTP response of the vBulletin server when I tried to access the admin control panel of the vBulletin test forum, using wget.

                        The second response in the same post was just a what-a-correct-HTTP-response-head-should-contain thing. Meaning how should the specific PHP script be modified (using the PHP Header() function to accomplish this) in order to have a more correct and more secure output.

                        Comment


                        • #27
                          Okay its NOT a solution after all then?

                          So how do we "incorporate" the http solution to vbulletin (so that we can solve fusion's problem) and also to "NON" .php file(d) site (or those that use plain .html).

                          IF its in authoring then there should be an answer right?

                          Since i experience a "caching" problem with .html files (and NOT vbulletin or other vbulletin sites) working behind a proxy server.

                          What is the "code" that i would use in a webpage (when authoring) if the Header meta tags of pragma no cache doesn't solve the problem 100%?
                          Last edited by WizyWyg; Sun 25th Nov '01, 2:54am.
                          There are only 10 types of people in the world: Those who understand binary, and those who don't

                          Comment


                          • #28
                            It is not you that has to incorporate these changes into the script files, but rather vBulletin developers (wish John was here ).

                            In a very short summary the following:
                            Remove the "no-cache" option from the vBulletin control panel. Every PHP vBulletin file should always mark HTTP responses as stale using Cache-Control/Expires/Pragma directives as outlined in examples (1)-(6) of my previous post.

                            Again, note that this is a vBulletin issue, not one of a vBulletin owner! If I can help, please do not hesitate to contact me.

                            OT, but if a vBulletin operator wants to greatly enhance responsiveness to his/her site then the following are of interest:
                            In understand and sympathise. Yet there are excellent ways that would enable you to counter bandwidth loss (due to the usage of correct Cache-Control/Pragma/Expires directives in vBulletin scripts): just make sure that all the small graphics files of vBulletin are checked very seldomly. This is what I have proposed to a vBulletin-operated site. If you are interested, please post a new thread somewhere and PM me with the location; I'll be more than happy to provide instructions and discuss the general motivation.
                            If you are interested in this and have Apache installed, just post a new thread and PM me with the address. I am more than willing to help.

                            Comment


                            • #29
                              Originally posted by WizyWyg
                              Since i experience a "caching" problem with .html files (and NOT vbulletin or other vbulletin sites) working behind a proxy server.

                              What is the "code" that i would use in a webpage (when authoring) if the Header meta tags of pragma no cache doesn't solve the problem 100%?
                              Assuming here that we are not talking about a vBulletin PHP script-generated page, would you mind posting a new thread and PMing me the address? Again note that the solution one can offer in these cases applies certainly to Apache. It might be feasible in Microsoft IIS as well, but have not used that one so I wouldn't know in that case.

                              Comment


                              • #30
                                in short cosmos, a vb owner should turn "on" the cashe option than? I remember the reasoning having it as a option, due to something similar as somebody downloading your site on their hardrive, or something to that affect...so what I am wondering mostly, will there be any serious security issues having it on?

                                Also, I would be more than interested to learn how to kick up more bandwidth, or streamlining the board with this option on, if indeed that is what you are advising.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X