Possible EXTREMELY large security hole

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Flare945
    Senior Member
    • Nov 2000
    • 206
    • 3.0.0 Release Candidate 4

    Possible EXTREMELY large security hole

    A member posted this at my board, and someone else was asking "Why they could read other peoples PM's" the other day. We just upgraded to vB2.0 beta 2:

    every time i login, i seem to get in as a different member, sometime it goes away when i try to get in to the staff section, but sometimes it doesn't let me in into the staff forums either, and i have to login manually.

    now this is not only annoying, but also quite dangerous

    check it out. this could be a serious one!

    btw, upto now i somehow logged in as "blue madcat" and "comander bla"
    Is this a bug? Is there a fix? We have many private forums, with sensitive information in them meant only for the group of users that have access to them. I dont want people to accidentially get access to them.

    Even worse, would be if they got in as a admin. They could do whatever they wanted, delete posts..... anything!
  • Flare945
    Senior Member
    • Nov 2000
    • 206
    • 3.0.0 Release Candidate 4

    #2
    This was posted by the user "anwar". He does not know blue MADCAT's password. I am sure of that one, because he is a mod, and wouldnt go around trying to steal users passwords.

    Code:
    [img]http://fp.geocities.com/anwarbaba2000/cat1.jpg[/img]
    
    [img]http://fp.geocities.com/anwarbaba2000/cat2.jpg[/img]
    this shows proof of how he logged in as him. he did not try to, but it just came up when he had his own cookie.

    Comment

    • Joe
      Senior Member
      • May 2000
      • 2435

      #3
      I was able to log in as a different user on these forums in beta1, i emailed john about it, never found out what exactly happend... i thought it was fixed, or was a one time fluke, guess not
      Bike Forums.net

      Comment

      • Flare945
        Senior Member
        • Nov 2000
        • 206
        • 3.0.0 Release Candidate 4

        #4
        Well this should be fixed ASAP

        If it isnt, is there a downgrade script, that will let me go from 2.0 back down to 1.1.5, cuz I cannot have this even as a possibility on my forum?

        Comment

        • pedro_gb
          Senior Member
          • Jul 2000
          • 120

          #5
          I've already logged in as another user as well at SitePointForums as well. I contacted Wayne, though. Here are some screenshots: http://www.tweakpro.com/screenshots/ Amusing it certainly was, but I didn't post.

          Nicky, please don't get angry at me! (I've also logged in as Karl, but I don't have screenshots. Again, please don't get angry at me.)

          Comment

          • Flare945
            Senior Member
            • Nov 2000
            • 206
            • 3.0.0 Release Candidate 4

            #6
            Ed,

            I know you have seen this post, cuz ur replying to others here.

            Plz reply w/ SOME sort of response to this one.

            Comment

            • pedro_gb
              Senior Member
              • Jul 2000
              • 120

              #7
              Oh, I'll just add that I really don't know how it happened. I simply logged in one day, and I was Karl. The next day I was Nicky, then after a while I logged out and logged back in as me, pedro_gb. Don't know how it happened.

              Actually, I remember that it wouldn't log me out, whatever I tried (using the website). The only way I managed to log out was by deleting the cookie. Very strange.

              Comment

              • Mike Sullivan
                Former vBulletin Developer
                • Apr 2000
                • 13327
                • 3.6.x

                #8
                What do you want me to say?

                I can't say it's fixed, because I've found it impossible to reproduce and I don't see what would be causing it. I have made some code changes though, but who knows at this point.

                Comment

                • Flare945
                  Senior Member
                  • Nov 2000
                  • 206
                  • 3.0.0 Release Candidate 4

                  #9
                  ok,

                  sorry ed. your right. my bad.

                  Comment

                  • DVD Plaza
                    Senior Member
                    • Sep 2000
                    • 697
                    • 3.0.1

                    #10
                    I guess the major threat is if someone happens to find themselves logged in as a moderator, or worse yet - an administrator. How many would resist taking advantage of that situation?

                    Comment

                    • slip
                      Member
                      • Jan 2001
                      • 66

                      #11
                      Well, what I have done at my forum, which I HIGHLY suggest doing - is adding .htaccess to /forum/admin

                      So that way if somehow a user gets an admin password, they would still have to get past the .htaccess password, which is 15 letters long with numbers and letters..

                      Comment

                      • Joshs
                        Senior Member
                        • Jan 2001
                        • 1024

                        #12
                        I have a Windows 2000 Advanced server, Would I just make the forums a frontpage web and make a password or can I use .htaccess? If I can use .htaccess can someone please tell me how to set it up?
                        ...

                        Comment

                        • dwh
                          Senior Member
                          • Sep 2000
                          • 1224
                          • 3.0.0 Release Candidate 4

                          #13
                          This is an issue for 1.15 as well. I email John about it last week (and got no reply yet).

                          Maybe this is how webhostingtalk was hacked?

                          Red Alert, Red Alert.

                          This is very upsetting. John, can you please tell us you are working on this?

                          Thanks.

                          Comment

                          • Jake Bunce
                            Senior Member
                            • Dec 2000
                            • 46598
                            • 3.6.x

                            #14
                            i think .htaccess is a linux only thing.

                            Comment

                            • mkilty
                              Member
                              • Feb 2001
                              • 57

                              #15
                              I don't know if this applies but the other day one of my moderators had his account used by someone else who managed to do some damage before we locked the account.

                              Obviously this is a concern that I hope you can reproduce and fix if so.....

                              Thanks,

                              Michael

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...