1
vinit
NEWBB2: Security Issue
  • 2004/10/30 6:29

  • vinit

  • Just can't stay away

  • Posts: 530

  • Since: 2004/1/10


hi there is a very minor security issue with newbb2, but its a critical in nature.

By default when ever a user is browsing a forum the link comes up something like this

Quote:

Note the important thing in here is the PHPSESSID. the session id should never be seen first of all. take a case, you where browsing a topic and you found it intresting and you copied the entire link as shown above and passed it to your friend or third person. and if that person opens the link while you are logged in, then your session will get shared with him and he will be logged in by default with your id. This would be worse if a site admin commits this mistake.

Thus i would suggest to use POST method for session ids atleast.

2
m0nty
Re:NEWBB2: Security Issue
  • 2004/10/30 8:07

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


hardly worthy of a post like this.. i thought it was somethin major..

security isn't just a webmasters problem.. the user has to take some responsibility aswell.. and have some common sense..

but anyway i don't see the phpsession id when i've logged id. i only ever see it when browsing and haven't logged in. notice you don't see it on this site either..

for future reference tho, if you ever do find a security issue, then posting it here on a public forum is NOT the way to go about it. sure we'd all like to know abt these issues, but posting a security issue in public gives hackers all the info they need.. next time can u please post them in a private message or email to the developers b4 making them public..

3
Mikhail
Re:NEWBB2: Security Issue
  • 2004/10/30 11:48

  • Mikhail

  • Just can't stay away

  • Posts: 412

  • Since: 2003/1/19


Quote:
security isn't just a webmasters problem.. the user has to take some responsibility aswell.. and have some common sense..


urls can be tracked by referers systems, so isn't just an user problem/responsibility... or not?

[]s,

mikhail

4
Mikhail
Re:NEWBB2: Security Issue
  • 2004/10/30 12:50

  • Mikhail

  • Just can't stay away

  • Posts: 412

  • Since: 2003/1/19



5
m0nty
Re:NEWBB2: Security Issue
  • 2004/10/30 14:19

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


true.. but this is not a bug with newbb2 and shouldnt have been posted as a bug report..

ADD:

the only time i ever seen sessionid in the url is when cookies have been blocked, so the session id can't be wrote to a cookie, therefore it passes it as a string in the url.. but XOOPS doesn't allow posting if cookies are blocked anyway..

Login

Who's Online

319 user(s) are online (183 user(s) are browsing Support Forums)


Members: 0


Guests: 319


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits