Users auto-logged as someone else?

**George L** · Sat 13 Apr '02, 10:05am

are they with same ISP behind a proxy ?

**tamarian** · Sat 13 Apr '02, 11:30am

Originally posted by eva2000
are they with same ISP behind a proxy ?

No, they have different ISP's, and different IP's, one the U.K., and one in the U.S.

**JulianD** · Sat 13 Apr '02, 12:51pm

I've been having the same problem

And I really don't know how to fix it.

**tamarian** · Sat 13 Apr '02, 1:13pm

Originally posted by eva2000
are they with same ISP behind a proxy ?

Correction, last IP's are different, but when checking all IP's, they do occasionally share the same proxies.

This shouldn't be a problem though, right?

**tamarian** · Sun 14 Apr '02, 12:35pm

Bump.

This is obviously a serious security problem as one of the users in this mixup has mod rights, and access to private forums.

**Steve Machol** · Sun 14 Apr '02, 1:34pm

Fill out a Support forum at:

404 Not Found 1

http://www.vbulletin.com/members/support.php

vBulletin Community Software

Be sure to include all relevant info and the login info to your Admin CP and FTP.

**tamarian** · Sun 14 Apr '02, 3:41pm

Originally posted by smachol
Fill out a Support forum at:

404 Not Found 1

http://www.vbulletin.com/members/support.php

vBulletin Community Software

Be sure to include all relevant info and the login info to your Admin CP and FTP.

Done yesterday.

**tamarian** · Sun 14 Apr '02, 3:45pm

Originally posted by smachol
and the login info to your Admin CP and FTP.

Oops, no, I didn't supply this info, just server set up, PHP and MySQL.

**tamarian** · Mon 15 Apr '02, 1:41pm

I hope vB is working on a fix for this, as I haven't been contacted.

I have demoted a mod, who's account is compromised by this until we figure it out. Not sure if this is good enough though, since even my admin account might get into the same problem....

**tamarian** · Tue 16 Apr '02, 12:13pm

This is the same problem reported here:

Marketscore.com users security probs - vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?s=&threadid=44087

And it's the same proxy.

**tamarian** · Wed 17 Apr '02, 10:14am

Would a mod please move this to the bugs forum? Or let me know of Jelsoft think this is not a bug?

**Steve Machol** · Wed 17 Apr '02, 10:31am

I can't duplicate this problem on my forums therefore it's too early to classify it as a bug. You'll just need to be patient and wait for someone to respond to your support ticket.

Are your users able to post as someone else? If not, then this is most likely a proxy issue that can be resolved by making sure they set 'Automatcally login' and 'Browse the board with cookies' to 'yes'. You also need to make sure that cookies aren't blocked either because of browser settings or third party software.

**tamarian** · Wed 17 Apr '02, 11:26am

Originally posted by smachol
I can't duplicate this problem on my forums

Umm, how did you try to duplicate it? 2 different PC's from different ISP's using different Netsetter/MarketScore accounts, and different vB accounts? If not, you won't be able to duplicate it.

There's 5 different vB forums already reporting this problem in two different threads.

Note that we only knew about it when our members told us. This clearly means there are many vB's running cluless to this problem, if they weren't notified, or didn't take the users enquiries seriously.

Can they post as someone else? Not to my knowledge. But they can access other member's profiles, edit/options. At that point they decided not to submit changes, and I'm glad they didn't. They can also see invisible forums, and If I could fly to the U.K. to check the user's PC and test what else they can do, I'd do it.

I'm quite patient, while taking security holes seriously at the same time, and would like them addressed ASAP. In the mean time, acknowledging the problem is a good step.

**Steve Machol** · Wed 17 Apr '02, 11:36am

I have plenty or users who access my forums from behind company proxies and have never had this problem. Of course I have done as I suggested in my previous message in regards to setting the options to use cookies. Have you checked into this yet?

The proxy issue is not a new one. It's been around for a long time. As for people being able to access other members accounts to change the options, I've honestly have never heard of this happening. I am not taking this lightly, but the truth is that I know of no logical reason for this to ever happen on the default vB.

Be sure to update your support ticket with any evidence you have in support of people being able to access and change other people's accounts. If this can be shown, then of course it raises the stakes a bit.

Users auto-logged as someone else?

Users auto-logged as someone else?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment