1
limecity
Big security issue :: XOOPS
  • 2004/2/3 19:27

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


that day i was promoting my site to a fren..

i login my site with my webmaster account. i read some of my forums and i copy the URL address and paste it to someone else.

Believe or not.. that person who click on the url i just pasted, views the page as my account. after that he register a new one, he has access to my webmaster account.

its kinda complicated..
when i refresh my screen.. *poof* " its says i am logged in with the new user's nick..


2
tom
Re: Big security issue :: XOOPS
  • 2004/2/3 19:34

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


Thats probably because you send them the link with your session info in, which means they use your session info.

I think, but maybe wrong.

3
Mithrandir
Re: Big security issue :: XOOPS

It's a security issue with PHP sessions more than with XOOPS, which is why I in my non-XOOPS authentication scripts combine cookies and sessions to avoid this "copy-paste URL and login" problem.

4
mvandam
Re: Big security issue :: XOOPS
  • 2004/2/3 20:19

  • mvandam

  • Quite a regular

  • Posts: 253

  • Since: 2003/2/7 2


Yes, it sounds like your session was hijacked. Does your URL contain something like SID=1234sdg or SESSIONID=1234asdf or PHPSESSION=1234asdf etc??

Also, just another word of advice...

Use your administrator/webmaster account only for administrative type activities like changing permissions, installing/updating modules etc. Use a less privileged account for participating in forums etc.

Login

Who's Online

396 user(s) are online (316 user(s) are browsing Support Forums)


Members: 0


Guests: 396


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits