31
ReCkage
Re: Security Problem
  • 2004/7/2 23:11

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


No, no one has gotten back to me, which is not good, i have one week to find the answer or its my ass.

32
skalpa
Re: Security Problem
  • 2004/7/3 3:50

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


No way man... Everybody wants your ass to be safe here

The point is that, after checking, I really don't see how the PM code could be responsible for this... Also, the frequency of your problem / the way it appears makes me believe this might be a problem with your config.

But anyway, let's find the clues... Try this:
- ensure your php session config works
- make XOOPS use the default php session handler instead of its custom one (comment the line calling session_set_save_handler() in include/common.php )
- try again

Other one: try to test your installs with a MySQL 3.23 server.

Tell me if it makes things better, I'll try to find something else otherwise.

skalpa.>

33
ReCkage
Re: Security Problem
  • 2004/7/6 19:30

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Thats the issue is the session, with default or custom, every single user gets the same session ID, ive been asking this in another post for weeks. is that supposed to happen.

I hav eno control over the software versions, its a shared server.

Here is the stats.
Operating system Red Hat Linux
Kernel version 2.4.20-24.9
Apache version 1.3.31 (Unix)
PERL version 5.8.1
PHP version 4.3.7
MySQL version 4.0.18-standard

34
skalpa
Re: Security Problem
  • 2004/7/7 0:04

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


Quote:
Thats the issue is the session, with default or custom, every single user gets the same session ID, ive been asking this in another post for weeks. is that supposed to happen.


I understood this. But have you tried to do what I have told ? The thing is that the "custom session" option in the administration only controls the name of the cookie used for the session id, not if XOOPS will use its own "session handler" or not (it always does in 2.0.x).
- To comment the line I indicated in common.php will make XOOPS use the default php handler, so we can spot if the issue is due to XOOPS / something else.
- If your site works once the line is commented and you know your apache / session config is safe, you can let it run like this

skalpa.>

35
ReCkage
Re: Security Problem
  • 2004/7/7 1:51

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Ok did what you suggested, had some users try ti out, and again people were becoming others.

36
ReCkage
Re: Security Problem
  • 2004/7/9 20:10

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


any other ideas?

37
Panos
Re: Security Problem
  • 2004/7/9 21:24

  • Panos

  • Friend of XOOPS

  • Posts: 87

  • Since: 2003/3/20


It would probably be useless to repeat that this has never happened to my site before and please note that they are being hosted on a shared server

In fact, I have spent the last 10 minutes clearing my browser's cache and cookies, re-logging into the site and doing fn + F5 (on my Mac), but nothing happened. If someone was watching me, he would think that I had gone completely bonkers

In any event, couldn't that particular issue be caused by a server misconfiguration?

I really don't believe that it's XOOPS's "fault"

I would really like to help more, but I really don't have a clue regarding this issue

38
ReCkage
Re: Security Problem
  • 2004/7/9 22:01

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


I have had my host make all the updates to their server, they have tempoarly removed the XOOPS installation package from their servers. besides that I was hoping that someone here would know what to do.

39
Mithrandir
Re: Security Problem

I don't know where to begin.

Is this a common problem with XOOPS installations on that host (could you ask?)

I find it very very very weird that the PM functionality can trigger this - if things are working fine until someone sends a PM, I'm stomped. All the PM'ing does is add a record to the database... that's it.

40
ReCkage
Re: Security Problem
  • 2004/7/9 22:51

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


PM is nolonger the trigger, its happens anytime more than one user is on the site.

Login

Who's Online

177 user(s) are online (101 user(s) are browsing Support Forums)


Members: 0


Guests: 177


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits