I'm still using XOOPS 2.0.9.3 (pressed for time at the moment) and Saturday I had two ContactUs emails that seem to have assumed my Webmaster user ID -- my email is in the From header on the primary email and the confirmation email was addressed to my webmaster user name and sent to my webmaster email!

This makes me very nervous. Is this a session hijack issue? I can't see anything in the code that might lead to this result.

Thanks.

Sorry for the *bump* but ..
Can anyone help me with session issues?

- How could an anonymous user send a ContactUs message with my Webmaster user and email?
- Why are there multiple records with the same IP in the xoops_session table?

Thanks.

have you got cache enabled for the contact us block? i know there was an old issue that if cache was enabled for contact us, and a webmaster had used it and sent a contact us.. then the page would be cached with his information..

but either way without seeing your site or the message headers we won't know anything.. i doubt it's a session hijack..