1
neoMJ
Seems to be a security hole in 2.0.10! BIG!
  • 2005/4/25 21:59

  • neoMJ

  • Just popping in

  • Posts: 6

  • Since: 2005/4/25


Ok guys, I guess we have a problem with 2.0.10 release...

I use default NewBB as a forum and my wholse XOOPS site is upgraded to 2.0.10..

Let me explain what happens:

When I send a link from a "private forum" topic to somebody who is not a member of my site, and when I am logged in at the moment, as soon as the other side clicks on the link he takes over my account! That means I got automatically logged out and he becomes logged in with my user name! Without entering a password! Just clicking on the link...

I don't wanna be exaggerating anything but that seems to be a serious bug! Can anybody look at it?

2
m0nty
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/4/25 22:03

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


i'm just guessing here, but does the link you give contain anything like PHPSESSIONID in the url?

if so that's the problem.. make sure u remove the sessionid from the url u post, it's more a server config than XOOPS if it is that problem..

If you have access to in php.ini set "session.use_trans_sid" to false

If you don’t have access to php.ini, add the following line to an .htaccess file

php_flag session.use_trans_sid off

3
neoMJ
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/4/25 22:11

  • neoMJ

  • Just popping in

  • Posts: 6

  • Since: 2005/4/25


Yes it contains PHPSESSIONID...

I was suspecting that but I don't have much knowledge of that thing...

I don't have access to php.ini.

But I can create a ..htaccess file.

I wanna ask where should I create it? In which directory?

4
m0nty
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/4/25 22:15

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


place it in your root XOOPS folder, the one that contains mainfile.php

5
neoMJ
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/4/25 22:17

  • neoMJ

  • Just popping in

  • Posts: 6

  • Since: 2005/4/25


Ok thank you very much!

6
javier
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/5/8 22:45

  • javier

  • Not too shy to talk

  • Posts: 184

  • Since: 2002/8/6 1


Every time i tried to added a .htaccess file in my XOOPS dir, i get the typical IE error and i can´t view the site.

Any ideas?
grettings

7
davidl2
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/5/9 1:20

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Are you using an ftp client to upload or internet explorer? IE may not like creating the .htaccess file

8
javier
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/5/9 1:27

  • javier

  • Not too shy to talk

  • Posts: 184

  • Since: 2002/8/6 1


ftp client of course, Excuse my bad english, with IE i mean i get a IE error,

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.


That`s every time i upload a .htaccess file, if i delete the .htaccess file all back to normal.

Before you ask, the content of my .htaccess file is:

php_flag register_globals off 
php_flag session
.use_trans_sid off


grettings

9
RVirtue
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/5/9 2:15

  • RVirtue

  • Quite a regular

  • Posts: 246

  • Since: 2004/8/4 9


I suspect that your hosting service provider is running PHP in CGI mode. (Many of them consider doing that and loading PHPSuexec more secure than running PHP as an Apache module.) You may be able to verify the PHP environment from your hosting contol panel's system information or you can check directly with your service's tech support.

If that is so, then .htaccess won't work. You need to remove it to get rid of those errors. Instead, use a php.ini file in the same location and put the equivalent configuration values into it:
register_globals = Off
session.use_trans_sid = 0

10
m0nty
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/5/9 3:27

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


sometimes in CGI mode you can use a php.ini file of your own..

ie.

create a file and name it php.ini

in this file add:

session.use_trans_sid = off
session.use_only_cookies = on

and then save it to your root XOOPS folder, and then save the same file to every modules folder and modules/admin folder..

to test if it has worked properly, use a phpinfo() script and place it in the same folder as your php.ini file and then call the script.. if those values reported are the same as in your php.ini then it has worked..

Login

Who's Online

47 user(s) are online (29 user(s) are browsing Support Forums)


Members: 0


Guests: 47


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits