Support Forums - All Posts - XOOPS Web Application System

1

Re: Newbb1 to Newbb2 Problems

2005/3/8 4:26
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

OK I have stumbled on something: when I change the theme for the website back to "default" (I was using a custom theme) all of a sudden the forum list displays exactly correctly. Can anyone point me at where to find out what I need to do to update my theme to accommodate the new forum software?

2

Re: Newbb1 to Newbb2 Problems

2005/3/5 3:00
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

I have the same problem. However, I got some errors when I ran the newbb1 to newbb2 update script:

Quote:

failed open fileModule data updated.
Updating templates...
Template newbb_poll_results.html inserted to the database.
Template newbb_index.html inserted to the database.
Template newbb_searchresults.html inserted to the database.
Template newbb_search.html inserted to the database.
Template newbb_thread.html inserted to the database.
Template newbb_viewforum.html inserted to the database.
Template newbb_viewtopic_flat.html inserted to the database.
Template newbb_viewtopic_thread.html inserted to the database.
Template newbb_rss.html inserted to the database.
Template newbb_viewall.html inserted to the database.
Template newbb_poll_view.html inserted to the database.
Template newbb_online.html inserted to the database.

Unable to write to main menu.

The view of the forums remains the same for a standard user account and my admin account.

3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/12/3 4:00
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

No, it's still the old link. The original link with a phpsessid in it STILL gets into the site as the last-logged-in person, despite emptying the sessions table.

It's weird as.

ANyway my site is about to die, it's been down over a week now. I'm going to try copy over the files on my site with a default clean set downloaded from here... if that doesn't work I will switch to a new CMS.

4

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/30 7:04
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

OK, I emptied the xoops_sessions table, with no joy. If I login, a new session is created in the xoops_sessions table that is linked to my ip address.

A friend then clicks the link and bingo, he's in, but the sessions table doesn't update -- stays the same including my IP address the only one listed. He then logs out, and attempts to login with his own account, not using the hack -- my session is removed from the table and one is opened with his IP address.

This behaviour is beyond me.

I'm assuming that I may have to revert back to getting rid of the "remember me" hack, but I don't know if that is going to solve the problem (I seem to recall a similar problem before, but I might have sequences wrong in my recall).

What worries me is that this vulnerability seems to be oblivious of the actual php/html of the pages served -- it gains access by going directly to the database. Do you think if I replace all my php files I will clear out the "Remember Me" hack and thus close the hole? I am trying to get hold of the developer that set it up for me, as the only choice I have is to get rid of the hack and restore my site to not being vulnerable, or move to a different CMS. Which I don't want to do as I love xoops.

Anyway, some comments on removing the remember me hack would be much appreciated.

5

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/30 4:07
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

Quote:

ajaxbr wrote:
Hey chrisis, any feedback on this?
If you're afraid of trying these tricks, I can give you an admin session link so you can login in my site as these hackers wannabe do in yours and we can test it there... PM me and we can set it up

Hiya -- thanks for your concern. Unfortunately "it never rains, but it pours" in my case. My ISP decided to "upgrade" their management tools and as a result deleted access to phpmyadmin access to my db. They are experiencing massive problems so I couldn't even phone them for help -- had to email them and wait for a reply!

Which I have now got. I've emptied the session table. Going to go home now and do a test to see if that has resolved the problem. Will let u guys know as soon as I have a result.

6

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/26 5:19
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

Quote:

DonXoop wrote:
Won't the session id expire when you logout? Are you using a "remember me" hack or a really long session timeout? I would think that you could logout properly and then get a new session id next time. Clear out the caches and your local cache and cookies.

It is safer to not use a remember me hack for the admin logins. Even better to make a dedicated webmaster that you don't use for day to day browsing of your own site.

Good luck.

I am using a "remember me" hack, implemented by a developer that helped set up the site. Unfortunately my users pretty much demanded it, which is why it is there.

I'll take this advice from here on out -- to not have the admin user remembered. That will protect me from someone getting admin access, but I still have the problem of the phpsessid. I've made the original changes, but being unsure of things, could someone look over this and tell me if I have the correct line in the correct place in mainfile.php?


//  You should have received a copy of the GNU General Public License        //

//  along with this program; if not, write to the Free Software              //

//  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA //

//  ------------------------------------------------------------------------ //



// added by Chrisis to combat session hijack via php

ini_set('session.use_trans_sid', false);



if ( !defined("XOOPS_MAINFILE_INCLUDED") ) {

    define("XOOPS_MAINFILE_INCLUDED",1);

7

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/26 2:26
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

Thanks for the tips -- I'll give these a go.

8

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/25 23:42
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

Can nobody help me with this, please? My site is still down becuase I don't know how to prevent the bug exploiting my site once the url is already out there.

PLEASE help -- I'm totally stuck atm.

Quote:

chrisis wrote:
My site has had this done to it... and unfortunately someone posted the link it an irc channel.

I've made the changes suggested here, but ppl still have that link and it still works....!! If I login, and someone tries the link, they get access to the site as my username!

Is there any way of locking my site down so that the PHPSESSID string has no effect, after the fact?

Thanks for your help -- my site is down for now and I can't bring it back up till I have a solution. :(

9

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

2004/11/24 5:21
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

My site has had this done to it... and unfortunately someone posted the link it an irc channel.

I've made the changes suggested here, but ppl still have that link and it still works....!! If I login, and someone tries the link, they get access to the site as my username!

Is there any way of locking my site down so that the PHPSESSID string has no effect, after the fact?

Thanks for your help -- my site is down for now and I can't bring it back up till I have a solution. :(

10

Re:First argument should be an array

2004/10/23 21:11
chrisis
Just popping in
Posts: 17
Since: 2004/7/2 2

I'm getting this error too. I just updated to newbb2 on my site. I get the error when I go to edit a forum.

After reading this thread I updated my common.php and version.php to v2.0.7.3, but it has made no change. Is there something more I need to do?

/edit: I updated the system module. Then I went and downloaded the whole package for v2.0.7.3 and copied those files over my existing XOOPS files. Fixed mainfile.php. Updated system module again, and newbb module again. I still get the error.

I'm not sure if it is related but atm I can't see any forums. I have gone into the forum to update permissions, giving global access to a forum to "registered users" and giving permission to registered users to post etc, but registered users still can't see any forums, only categories. I think it is because the page where I edit the forum permissions generates this error??

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: Newbb1 to Newbb2 Problems

Re: Newbb1 to Newbb2 Problems

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re: Session hijacking vulnerability in XOOPS 2.0.7.3

Re:First argument should be an array

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}