Re: Seems to be a security hole in 2.0.10! BIG! [Xoops Bug Reports]

1

Seems to be a security hole in 2.0.10! BIG!

2005/4/25 21:59
neoMJ
Just popping in
Posts: 6
Since: 2005/4/25

Ok guys, I guess we have a problem with 2.0.10 release...

I use default NewBB as a forum and my wholse XOOPS site is upgraded to 2.0.10..

Let me explain what happens:

When I send a link from a "private forum" topic to somebody who is not a member of my site, and when I am logged in at the moment, as soon as the other side clicks on the link he takes over my account! That means I got automatically logged out and he becomes logged in with my user name! Without entering a password! Just clicking on the link...

I don't wanna be exaggerating anything but that seems to be a serious bug! Can anybody look at it?

2

Re: Seems to be a security hole in 2.0.10! BIG!

2005/4/25 22:03
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

i'm just guessing here, but does the link you give contain anything like PHPSESSIONID in the url?

if so that's the problem.. make sure u remove the sessionid from the url u post, it's more a server config than XOOPS if it is that problem..

If you have access to in php.ini set "session.use_trans_sid" to false

If you don’t have access to php.ini, add the following line to an .htaccess file

php_flag session.use_trans_sid off

3

Re: Seems to be a security hole in 2.0.10! BIG!

2005/4/25 22:11
neoMJ
Just popping in
Posts: 6
Since: 2005/4/25

Yes it contains PHPSESSIONID...

I was suspecting that but I don't have much knowledge of that thing...

I don't have access to php.ini.

But I can create a ..htaccess file.

I wanna ask where should I create it? In which directory?

4

Re: Seems to be a security hole in 2.0.10! BIG!

2005/4/25 22:15
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

place it in your root XOOPS folder, the one that contains mainfile.php

5

Re: Seems to be a security hole in 2.0.10! BIG!

2005/4/25 22:17
neoMJ
Just popping in
Posts: 6
Since: 2005/4/25

Ok thank you very much!

6

Re: Seems to be a security hole in 2.0.10! BIG!

2005/5/8 22:45
javier
Not too shy to talk
Posts: 184
Since: 2002/8/6 1

Every time i tried to added a .htaccess file in my XOOPS dir, i get the typical IE error and i can´t view the site.

Any ideas?
grettings

7

Re: Seems to be a security hole in 2.0.10! BIG!

2005/5/9 1:20
davidl2
XOOPS is my life!
Posts: 4843
Since: 2003/5/26

Are you using an ftp client to upload or internet explorer? IE may not like creating the .htaccess file

8

Re: Seems to be a security hole in 2.0.10! BIG!

2005/5/9 1:27
javier
Not too shy to talk
Posts: 184
Since: 2002/8/6 1

ftp client of course, Excuse my bad english, with IE i mean i get a IE error,

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

That`s every time i upload a .htaccess file, if i delete the .htaccess file all back to normal.

Before you ask, the content of my .htaccess file is:

 php_flag register_globals off  
php_flag session.use_trans_sid off

grettings

9

Re: Seems to be a security hole in 2.0.10! BIG!

2005/5/9 2:15
RVirtue
Quite a regular
Posts: 246
Since: 2004/8/4 9

I suspect that your hosting service provider is running PHP in CGI mode. (Many of them consider doing that and loading PHPSuexec more secure than running PHP as an Apache module.) You may be able to verify the PHP environment from your hosting contol panel's system information or you can check directly with your service's tech support.

If that is so, then .htaccess won't work. You need to remove it to get rid of those errors. Instead, use a php.ini file in the same location and put the equivalent configuration values into it:
register_globals = Off
session.use_trans_sid = 0

10

Re: Seems to be a security hole in 2.0.10! BIG!

2005/5/9 3:27
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

sometimes in CGI mode you can use a php.ini file of your own..

ie.

create a file and name it php.ini

in this file add:

session.use_trans_sid = off
session.use_only_cookies = on

and then save it to your root XOOPS folder, and then save the same file to every modules folder and modules/admin folder..

to test if it has worked properly, use a phpinfo() script and place it in the same folder as your php.ini file and then call the script.. if those values reported are the same as in your php.ini then it has worked..

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Re: Seems to be a security hole in 2.0.10! BIG!

Login

Search

Recent Posts

Re: Mymenus Module with XOOPS 2.5.11-Stable

Re: Mymenus Module with XOOPS 2.5.11-Stable

Re: Mymenus Module with XOOPS 2.5.11-Stable

Re: PodTalk Theme (PUBLISHER)

PodTalk Theme (PUBLISHER)

Re: Mymenus Module with XOOPS 2.5.11-Stable

Re: Mymenus Module with XOOPS 2.5.11-Stable

Re: Mymenus Module with XOOPS 2.5.11-Stable

Re: Migrate from Wordpress

Re: Error in https://xoops.org/modules/wggithub/

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}