Re: Security Problem [Q and A] - XOOPS Web Application System

31

Re: Security Problem

2004/7/2 23:11
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

No, no one has gotten back to me, which is not good, i have one week to find the answer or its my ass.

32

Re: Security Problem

2004/7/3 3:50
skalpa
Quite a regular
Posts: 300
Since: 2003/4/16

No way man... Everybody wants your ass to be safe here

The point is that, after checking, I really don't see how the PM code could be responsible for this... Also, the frequency of your problem / the way it appears makes me believe this might be a problem with your config.

But anyway, let's find the clues... Try this:
- ensure your php session config works
- make XOOPS use the default php session handler instead of its custom one (comment the line calling session_set_save_handler() in include/common.php )
- try again

Other one: try to test your installs with a MySQL 3.23 server.

Tell me if it makes things better, I'll try to find something else otherwise.

skalpa.>

33

Re: Security Problem

2004/7/6 19:30
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

Thats the issue is the session, with default or custom, every single user gets the same session ID, ive been asking this in another post for weeks. is that supposed to happen.

I hav eno control over the software versions, its a shared server.

Here is the stats.
Operating system Red Hat Linux
Kernel version 2.4.20-24.9
Apache version 1.3.31 (Unix)
PERL version 5.8.1
PHP version 4.3.7
MySQL version 4.0.18-standard

34

Re: Security Problem

2004/7/7 0:04
skalpa
Quite a regular
Posts: 300
Since: 2003/4/16

Quote:

Thats the issue is the session, with default or custom, every single user gets the same session ID, ive been asking this in another post for weeks. is that supposed to happen.

I understood this. But have you tried to do what I have told ? The thing is that the "custom session" option in the administration only controls the name of the cookie used for the session id, not if XOOPS will use its own "session handler" or not (it always does in 2.0.x).
- To comment the line I indicated in common.php will make XOOPS use the default php handler, so we can spot if the issue is due to XOOPS / something else.
- If your site works once the line is commented and you know your apache / session config is safe, you can let it run like this

skalpa.>

35

Re: Security Problem

2004/7/7 1:51
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

Ok did what you suggested, had some users try ti out, and again people were becoming others.

36

Re: Security Problem

2004/7/9 20:10
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

any other ideas?

37

Re: Security Problem

2004/7/9 21:24
Panos
Friend of XOOPS
Posts: 87
Since: 2003/3/20

It would probably be useless to repeat that this has never happened to my site before and please note that they are being hosted on a shared server

In fact, I have spent the last 10 minutes clearing my browser's cache and cookies, re-logging into the site and doing fn + F5 (on my Mac), but nothing happened. If someone was watching me, he would think that I had gone completely bonkers

In any event, couldn't that particular issue be caused by a server misconfiguration?

I really don't believe that it's XOOPS's "fault"

I would really like to help more, but I really don't have a clue regarding this issue

38

Re: Security Problem

2004/7/9 22:01
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

I have had my host make all the updates to their server, they have tempoarly removed the XOOPS installation package from their servers. besides that I was hoping that someone here would know what to do.

39

Re: Security Problem

2004/7/9 22:09
Mithrandir
XOOPS is my life!
Posts: 6320
Since: 2003/6/21

I don't know where to begin.

Is this a common problem with XOOPS installations on that host (could you ask?)

I find it very very very weird that the PM functionality can trigger this - if things are working fine until someone sends a PM, I'm stomped. All the PM'ing does is add a record to the database... that's it.

40

Re: Security Problem

2004/7/9 22:51
ReCkage
Just popping in
Posts: 39
Since: 2004/5/24

PM is nolonger the trigger, its happens anytime more than one user is on the site.

Stats
Goal:	$100.00
Due Date:	Feb 28
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Re: Security Problem

Login

Search

Recent Posts

Re: Choice of editors for the Newbb module

Re: Choice of editors for the Newbb module

Re: Choice of editors for the Newbb module

Re: Choice of editors for the Newbb module

Re: Choice of editors for the Newbb module

Re: Choice of editors for the Newbb module

Choice of editors for the Newbb module

Re: AI circumvent anti spamm

Re: AI circumvent anti spamm

AI circumvent anti spamm

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}