11
kurdman
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/5/27 19:43

  • kurdman

  • Just popping in

  • Posts: 1

  • Since: 2005/5/23


I create .htaccess file in root XOOPS folder
& add (php_flag session.use_trans_sid off) to .htaccess file

after login with admin user when i want to go admin control panel i received this = You don't have the right to access this area
& usually URL contains PHPSESSIONID

12
peterr
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/6/8 3:10

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Hi,

Quote:

m0nty wrote:
If you don’t have access to php.ini, add the following line to an .htaccess file

php_flag session.use_trans_sid off


We have been using this ............

php_value session.use_trans_sid 0


obviously if results in the same effect, I assume.

Peter

13
alitan
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/6/11 3:29

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


Alot of persian users are having this problem. The weird thing is that they can use XOOPS 2.0.9.3 with no problem but not XOOPS 2.0.10 . This Session problem is really annoying! Also it is making me think that this might be Xoops' bug, since the same users who experienced the same issue with XOOPS 2.0.10, do not have any issue with XOOPS 2.0.9.3 at all! Some of them even can not use .htaccess files so it is extremely important for them to use XOOPS 2.0.9.3 . Also XOOPS 2.0.9.3 is removed from this site and because they can't use XOOPS 2.0.10, they prefare to move on another CMS.
I personally, do not know what to tell them, please help!

thanks in advance!

14
m0nty
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/6/11 3:52

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


the problem is that people need to be aware of, is this is not a XOOPS problem as such.. it's a server config problem :S i'm no expert but i think any CMS that uses sessions and cookies will give them the same problems with the sessionid..

sometimes if you can't use .htaccess you can create a php.ini file with the php value inside that.. but you need to place the ini file inside every folder & admin folder as far as i'm aware..

they could also use the php value of

session.use_only_cookies 1

too which will force php to use cookies only instead of sessionid (again i think this is the way it works)

15
alitan
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/6/11 3:57

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


But why don't they have this problem with XOOPS 2.0.9.3 is a question!

16
m0nty
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/6/11 4:05

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


if the browser is correctly setup to receive all cookies then i don't think the phpsessionid will be shown in the url at all. i'm far from expert on it. i'm just picking info up from php.net and various other forums..

17
alitan
Re: Seems to be a security hole in 2.0.10! BIG!
  • 2005/6/11 4:20

  • alitan

  • Quite a regular

  • Posts: 399

  • Since: 2004/3/14


I think we should investigate that, what in the new token system causes theproblem to happen!

Login

Who's Online

155 user(s) are online (96 user(s) are browsing Support Forums)


Members: 0


Guests: 155


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits