Announcement

Collapse
No announcement yet.

Security problem with 2.20??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by ToraTora!
    in short cosmos, a vb owner should turn "on" the cashe option than? I remember the reasoning having it as a option, due to something similar as somebody downloading your site on their hardrive, or something to that affect...so what I am wondering mostly, will there be any serious security issues having it on?
    That option should not exist at all! The default behaviour should be similar to an always-on "no-cache" option though. Additionally, changes must be made on the expiration headers sent, depending on the nature of the data sent (user logged on/not logged on, viewing personalized information etc). See post above with examples (1)-(6). Again, I must stress that this is work for Jelsoft and not a vBulletin owner.

    Also, I would be more than interested to learn how to kick up more bandwidth, or streamlining the board with this option on, if indeed that is what you are advising.
    See my proposal for a new thread to WizyWyg/tubedogg above. Still waiting!

    Comment


    • #32
      ok. So, its safe to say, that for the time being, if I have them off, and somebody with a proxy comes along, i could encounter the same problems as above.

      If I have them on, than technically, they may still seep through, unless some of the code is actually changed, or some interaction with the apache server is implemented from the vb php files.

      What would be your advice for a temporary setting, until there is some resolution to this problem cosmos? off or on?

      Comment


      • #33
        Originally posted by ToraTora!
        If I have them on, than technically, they may still seep through, unless some of the code is actually changed, or some interaction with the apache server is implemented from the vb php files.
        The answer here is that PHP code has to be modified. The changes imposed would no be web-server (e.g. Apache) related. Mind you, modifications needed would be small.
        What would be your advice for a temporary setting, until there is some resolution to this problem cosmos? off or on?
        [/B]
        Definitely enable the no-cache setting in the control panel.

        Comment


        • #34
          well, a definite thanks for your advice is in order. I had not realized this matter was as serious of a problem, until i noticed this thread start to rise in overall views and posting numbers, which lead me to believe it is a common occurence, rather than isolated, which would also directly affect our board, due in part most of our users have a infactuation with proxie servers. (AOL namely)

          I also appreciate your time, and obvious concern to this matter, and hopefully this is something that can be resolved rather quickly.

          Thanks again to all who brought this to our attention, and advance thanks to those who are going to resolve it.

          Wow...im still shocked actually that this problem was occuring........

          Comment


          • #35
            It's always a mixed feeling to be the first to notice these things and feel like you're hammering on brick walls to have it recognized. Anyhow, I'll be in first thing in the morning to see if the changes John made helped.
            Toddler from Hell

            Comment


            • #36
              I disagree that this should not still be an option. If as you say it only works with Apache, where does that leave our other clients who use everything from IIS to Xitami?

              Comment


              • #37
                Originally posted by John
                I have just uploaded a new sessions.php file to this server to see if I might have found something. Can you test if the problem is still occuring.

                Also, you can only compare vBulletin with other pieces of software if that software offers a cookie-free option. I am not sure about Hotmail, but I am pretty sure you would not be able to log in if you did not have cookies turned on.

                It is the cookie-free option that seems to be creating this problem, I think.

                John
                Sorry, John, still no-go. I've just started this PC at work. loaded up this forum, got the initial not logged in page (ie. Guest). When I then refreshed the main page, I magically appear logged in as Fusion, which was the last profile used, as far as I know. Now, when I went to view my User CP/Options, it still said that auto-login and cookies were set to no, and every page was using sessions.

                EDIT
                Eeek, just on a whim I tried the logout function, and am rather amazed that the changes you made apparantly broke that aswell. After clearing the cache and manually verifying there is no cookies on the machine, refreshing the not logged in view of the main page also returned me as Fusion. Whatever did you do?
                John, if you have a test-site that uses extensive logging of the requests and responses sent, may I please have access to it in order to show more clearly what's going on?

                /EDIT
                Last edited by Fusion; Sun 25th Nov '01, 11:29pm.
                Toddler from Hell

                Comment


                • #38
                  Originally posted by tubedogg
                  I disagree that this should not still be an option. If as you say it only works with Apache, where does that leave our other clients who use everything from IIS to Xitami?
                  Well, if it is to remain an option, it should be abundantly clear to the admins, and maybe even the users that the board is using this option, and what the possible consequences might be. That way it would be clear to everyone.
                  Toddler from Hell

                  Comment


                  • #39
                    I disagree that this should not still be an option. If as you say it only works with Apache, where does that leave our other clients who use everything from IIS to Xitami?
                    tubedogg, please read my post more carefully. I quote:

                    The answer here is that PHP code has to be modified. The changes imposed would not be web-server (e.g. Apache) related. Mind you, modifications needed would be small.
                    I repeat again: the only modififcations needed are to the vBulletin PHP scripts!

                    I mentioned Apache in another (OT) topic, that would address a general issue of optimizing one's server bandwidth.

                    Does this make it clear?

                    Comment


                    • #40
                      Originally posted by cosmos

                      I repeat again: the only modififcations needed are to the vBulletin PHP scripts!

                      I mentioned Apache in another (OT) topic, that would address a general issue of optimizing one's server bandwidth.

                      Does this make it clear?
                      but it doesn't address the problems with normal html files.
                      There are only 10 types of people in the world: Those who understand binary, and those who don't

                      Comment


                      • #41
                        Originally posted by WizyWyg
                        but it doesn't address the problems with normal html files.
                        See my reply on your general (non-vBulletin related) Cache / Headers > Prevention? thread.

                        Comment


                        • #42
                          Fusion,

                          If you have ICQ, I would be very glad to hear from you - do a search for my email address ( [email protected] ) if you want me.

                          Also, when you refreshed the page, and you saw yourself logged in -- that was after you had cleared cookies, etc?!? That should not be possible, and I cannot see how it is possible, from the code. Was the page up to date, or was it a cached version? (You can tell by the place where it says 'the current time is: xxx' .

                          Thanks,

                          John
                          John Percival

                          Artificial intelligence usually beats real stupidity ;)

                          Comment


                          • #43
                            Originally posted by John
                            Fusion,

                            If you have ICQ, I would be very glad to hear from you - do a search for my email address ( [email protected] ) if you want me.
                            Heh, I really should get ICQ. Being an old-timer, I've only done IRC. I'll see what I can do.
                            Also, when you refreshed the page, and you saw yourself logged in -- that was after you had cleared cookies, etc?!? That should not be possible, and I cannot see how it is possible, from the code. Was the page up to date, or was it a cached version? (You can tell by the place where it says 'the current time is: xxx' .

                            Thanks,

                            John
                            Yes, that was after I'd zapped the cache and any and all cookies on the machine. The page was up to date after the refresh, yes. The only thing it could be, is the proxy's cache, and that's exactly what I'm asking you to prevent. I'm really concerned about this.
                            Last edited by Fusion; Tue 27th Nov '01, 6:34am.
                            Toddler from Hell

                            Comment


                            • #44
                              Originally posted by John
                              Also, when you refreshed the page, and you saw yourself logged in -- that was after you had cleared cookies, etc?!? That should not be possible, and I cannot see how it is possible, from the code. Was the page up to date, or was it a cached version? (You can tell by the place where it says 'the current time is: xxx' .
                              John, in the specially coded version you've sent to Fusion, what is Cache-Control/Expires/Pragma set to?

                              Could you try to modify the scripts the following in the response, as per example 5 above, that is:
                              Code:
                              Cache-Control: no-store
                              Pragma: no-cache
                              Expires: Thu, 01 Jan 1970 00:00:00 GMT
                              Last edited by cosmos; Tue 27th Nov '01, 8:36am.

                              Comment


                              • #45
                                I didn't realize what this problem was, until after my board was opened last nigt, and tried logging out...I deleted all cookies, pressed the log out link, deleted temp files, IE history, and closed the browser....went back to mugglenetforums.com, and I was still logged in.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X