XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!
Register
1
Forlorndeeds
HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

Hey,

This is really urgent.
I'm having something weird going on with my site. I think something is corrupted, or something.
I have WF-Sections and Xgallery installed.

The thing here, is that all members can see the "edit, delete" link in WF-Sections, and some can edit all articles, and some can't. This really exetreme, beacause it gives them access to the admin panel as well.
I have closed the site beacause I fear another attack.

Just today, admin.php is giving me 500 interal server errors, and I have done nothing to xoops.

Also, in Xgallery, people see the admin panel, to switch to admin panel, and edit pics.

I don't think it's the modules at all, beacause this is globely now.

I can't access my own admin panel, I have to go through WF-Sections to access it.

I need help! Can anyone help me out.
It scared the crap out of me, after someone told me, and edited an article, and I shut the site down.

Any help?

If you want, I can create an account for you guys to see.
2
m0nty
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

  • 2004/8/7 6:37

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


can u get into admin at all?

if so, check in system module then click groups and check what users are in webmaster group..

also check that permissions for registered group haven't been altered so that it gives them module admin rights..
3
Forlorndeeds
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

I found the reason for it.
We had our cache on our WF-Section for about a minute or so. When I visited the WF-Section, my imprint was left there, allowing people to "Edit" documents.

When you edited the document, it allowed you access to the whole admin menu. Users were able to change setttings of the website.
I've cleared the cache, and set it to "no".
But I'm still runnning problems. Can you be able to find out who accessed the admin panel? I get internal sever errors when accessing the admin.php panel now. and I have no idea why it's acting that way.

Any fix?

I did'nt know cache could allow you access to things you did'nt have access too.
If so, is there a possible fix for this in the future? Gave me fright.
4
Bender
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

  • 2004/8/7 9:35

  • Bender

  • Home away from home

  • Posts: 1899

  • Since: 2003/3/10



As security is checked several times especially if you start accessing other stuff the user must really become you then. I don´t think activationg cache on WF-Sections or for the matter a single module could cause that.

Which version of WF-Sections are you using? (2.01?)
Is this reproduceable?

If so: Please give me a short discription how to reproduce it.

I tried this with different versions and can´t reproduce this happening.

If it is not:
There was a discussion here in the past that user got admin rights in a very little number of cases which never came to a conclusion to what was causing it if i remember correctly.
I think two people reported this to happen for them.
(can´t find it for now but i am sure it is in here somewhere. Anyone else remembers that discussion?)

5
Forlorndeeds
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

Yeah. WF-Sections is really unstable on my server for some reason. Allarticles.php times out as well. No clue why though.

But yeah, basicly I set the cache for one minute.
I created a dummie account, and went through it, and the edit and delete buttons were showing. I tried to get into it, but access was denied. But, some other users were able to get pass it, I don't know why.
They were only able to edit articles which were made by me.
I'm running the latest of WF-Sections 2.01.
But, I have confirmed and seen, a user go into an article, and actually edit and save an article to the database.

Yeah, and from there, they were able to go and screw around with the settings of the admin panel.

I don't want to reproduce it, beacuase I fear that someone could get in again.
But I'm pretty sure it could happen again.

I'm really looking forward to the new release of WF-Sections, I really hope it solves my problems with it, as I do not want to switch.
6
wtravel
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

Hi,

Can you also tell us which XOOPS version are you running?

Regards,

Martijn
7
Forlorndeeds
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

The latest. 2.07
8
Catzwolf
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

  • 2004/8/7 15:06

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


Quote:

Forlorndeeds wrote:
Hey,

This is really urgent.
I'm having something weird going on with my site. I think something is corrupted, or something.
I have WF-Sections and Xgallery installed.


Not sure what happened exactly here, but it sounds like that you may have given certain users admin access by mistake and because you had cache on this could have carried it on (hence why everyone could edit your articles).

Your second issue is not actually a fault of WF-Sections but more a server memory limitation problem. It seems that you have over 300 or 400 users registered to your website and a limited amount of memory allocated to you from your web server.

The main admin page is doing quite a lot of work and listing all users in the pull down menu uses quite a bit of memory (The same happens when trying to email many users at the same time).

There is a fix for this issue on our website.
9
Forlorndeeds
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

I check it.

I did'nt give users any access to the admin console, only access they had was the Spaw editor, and that's pretty much it.
I don't have 300-400 users, I have about 150 or so. and during peak, there's only 9 people browsing my site.

Also, how do you run test, and see how much memory allocated to the webserver? I really plan on going over 1000+ users, and I want to be prepared for that.

The internal server error went away fro a day, I did nothing.
10
Mithrandir
Re: HELP!! Security Comprimised! Users are somehow have ADMIN STATUS!

Regarding the editing issue. I'm not all that familiar with WF-Section, but looking at the code article submissal for version 2.01 there is a check to see if the user has access to submit articles. This, however, will also grant access to editing the article. The link may not show up in the article display (unless caching is on and the page was cached when an admin/editor accessed it) but since it is very easy to just give another article ID in the URL, in my opinion, it should be checked on article edit, whether the user has rights to do so.

Maybe that is what is in the fix on wfsection website, I haven't looked at that. If that is the case, I apologize for sounding like a know-it-all

(oh - and btw Liquid; isn't it about time to update your signature? )

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

277 user(s) are online (227 user(s) are browsing Support Forums)

Members: 0

Guests: 277

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jun 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits