Announcement

Collapse
No announcement yet.

Users auto-logged as someone else?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users auto-logged as someone else?

    After upgrading to 2.2.5, I've had members report they have been auto-logged in as another user. They're not using the same PC or anything I can make sense of.

    Here's a report by a member:

    http://forum.lowcarber.org/showthrea...threadid=40420

    Any insights on what might be happening?
    vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

  • #2
    are they with same ISP behind a proxy ?
    :: Always Back Up Forum Database + Attachments BEFORE upgrading !
    :: Nginx SPDY SSL - World Flags Demo [video results]
    :: vBulletin hacked forums: Clean Up Guide for VPS/Dedicated hosting users [ vbulletin.com blog summary ]

    Comment


    • #3
      Originally posted by eva2000
      are they with same ISP behind a proxy ?
      No, they have different ISP's, and different IP's, one the U.K., and one in the U.S.
      vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

      Comment


      • #4
        I've been having the same problem And I really don't know how to fix it.
        ~ LANeros.com ~

        Comment


        • #5
          Originally posted by eva2000
          are they with same ISP behind a proxy ?
          Correction, last IP's are different, but when checking all IP's, they do occasionally share the same proxies.

          This shouldn't be a problem though, right?
          vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

          Comment


          • #6
            Bump.

            This is obviously a serious security problem as one of the users in this mixup has mod rights, and access to private forums.
            vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

            Comment


            • #7
              Fill out a Support forum at:

              http://www.vbulletin.com/members/support.php

              Be sure to include all relevant info and the login info to your Admin CP and FTP.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                Originally posted by smachol
                Fill out a Support forum at:

                http://www.vbulletin.com/members/support.php

                Be sure to include all relevant info and the login info to your Admin CP and FTP.
                Done yesterday.
                vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                Comment


                • #9
                  Originally posted by smachol
                  and the login info to your Admin CP and FTP.
                  Oops, no, I didn't supply this info, just server set up, PHP and MySQL.
                  vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                  Comment


                  • #10
                    I hope vB is working on a fix for this, as I haven't been contacted.

                    I have demoted a mod, who's account is compromised by this until we figure it out. Not sure if this is good enough though, since even my admin account might get into the same problem....
                    vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                    Comment


                    • #11
                      This is the same problem reported here:

                      http://www.vbulletin.com/forum/showt...threadid=44087

                      And it's the same proxy.
                      vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                      Comment


                      • #12
                        Would a mod please move this to the bugs forum? Or let me know of Jelsoft think this is not a bug?
                        vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                        Comment


                        • #13
                          I can't duplicate this problem on my forums therefore it's too early to classify it as a bug. You'll just need to be patient and wait for someone to respond to your support ticket.

                          Are your users able to post as someone else? If not, then this is most likely a proxy issue that can be resolved by making sure they set 'Automatcally login' and 'Browse the board with cookies' to 'yes'. You also need to make sure that cookies aren't blocked either because of browser settings or third party software.
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #14
                            Originally posted by smachol
                            I can't duplicate this problem on my forums
                            Umm, how did you try to duplicate it? 2 different PC's from different ISP's using different Netsetter/MarketScore accounts, and different vB accounts? If not, you won't be able to duplicate it.

                            There's 5 different vB forums already reporting this problem in two different threads.

                            Note that we only knew about it when our members told us. This clearly means there are many vB's running cluless to this problem, if they weren't notified, or didn't take the users enquiries seriously.

                            Can they post as someone else? Not to my knowledge. But they can access other member's profiles, edit/options. At that point they decided not to submit changes, and I'm glad they didn't. They can also see invisible forums, and If I could fly to the U.K. to check the user's PC and test what else they can do, I'd do it.

                            I'm quite patient, while taking security holes seriously at the same time, and would like them addressed ASAP. In the mean time, acknowledging the problem is a good step.
                            vB Drupal Community Plumbing | vB Survey | vBusy | vB Spell | vBouncer

                            Comment


                            • #15
                              I have plenty or users who access my forums from behind company proxies and have never had this problem. Of course I have done as I suggested in my previous message in regards to setting the options to use cookies. Have you checked into this yet?

                              The proxy issue is not a new one. It's been around for a long time. As for people being able to access other members accounts to change the options, I've honestly have never heard of this happening. I am not taking this lightly, but the truth is that I know of no logical reason for this to ever happen on the default vB.

                              Be sure to update your support ticket with any evidence you have in support of people being able to access and change other people's accounts. If this can be shown, then of course it raises the stakes a bit.
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X