Support Forums - All Posts - XOOPS Web Application System

Forum Index

Board index » All Posts (ReCkage)

« 1 2 3 (4)

Re: Security Problem

2004/5/31 17:05
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

After more testing, we also found that if you enter your username and password wrong you get the page saying incorrect logon, but it brings you into the site as someone else. This problem seems to be getting larger.

Topic | Forum

Re: Possible security problem !!!

2004/5/31 16:01
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

Ive seen that error before, it happened on my host. The tmp partition was too small which caused that error to show up. Just a thought.

Topic | Forum

Re: Registered User question

2004/5/31 15:53
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

I had this same problem on my site, I had some programmers create the feature but it is basically a custom job for each site. If you want Ill get them to do a How To.

Our hack, during registration ask the user for the group they belong to, in our case its for a school, so they chose their program of study. It works great so fair, we havent had any issues.

Topic | Forum

Re: Security Problem

2004/5/27 18:15
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

Actually the site is hosted on a shared server, so i cant watch the data. But I do have custom session off.

Is there a way to turn off PM totally.

Topic | Forum

Re: Security Problem

2004/5/27 17:56
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

We have been heavily testing since we found this problem. And today we finally realized it only happens when user send PMs.

Topic | Forum

Re: Security Problem

2004/5/27 17:51
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

i turned off custom sessions, and it still continues. How do you turn off the PM popup.

Topic | Forum

Re: Security Problem

2004/5/27 17:23
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

Ok we have tracked the problem down to the private message feautre. Anytime someone on the site creates PM, after that point everyone starts becoming some one else. We have set the custom session time 0, that didnt help. We first thought in was a phpmyadmin module but the problem persisted. Does anyone know if the PM feature is affected by any other module.

Quote:

tl wrote:
Since the problem is not duplicable on this site (xoops.org), it has to do with the unofficial modules installed or your set up. I think it is more the first.

To find out which module is the culprit, you would have to uninstall the unofficial modules one-by-one and test F5 key after each uninstall.

Please keep us posted on which module is causing the problem, so the community and the developer could be advised of the security breach. Thank you.

Topic | Forum

Re: Security Problem

2004/5/24 21:29
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

Ok here we go.

Running on Apache 1.3.29 (Unix)
Xoops 2.0.6

Modules
FAQ
Forum
MyADS
Polls
Links
ICalendar
Members
Downloads
Sections
Job Listings

Problem is reproducible every time F5 is hit.

Topic | Forum

Security Problem

2004/5/24 19:25
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

I am about to go public with a site for my university. But during testing we realized that if you hit F5 to refresh a page you end up as someone else that is already logged on. How can we stop this, security is a big issue for this site.

Topic | Forum

Top

« 1 2 3 (4)

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: Security Problem

Re: Possible security problem !!!

Re: Registered User question

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Security Problem

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}