XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Security Problem
Register
1
ReCkage
Security Problem

  • 2004/5/24 19:25

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


I am about to go public with a site for my university. But during testing we realized that if you hit F5 to refresh a page you end up as someone else that is already logged on. How can we stop this, security is a big issue for this site.
2
Bender
Re: Security Problem

  • 2004/5/24 19:38

  • Bender

  • Home away from home

  • Posts: 1899

  • Since: 2003/3/10


I have never seen this happen myself and especially on this site i often use F5 to refresh.

But someone else reported something like this some days ago i think.

Can you give the experts (i am not) some more information?

Like:

- On which system do you run XOOPS (software revisions, OS ...)
- Which XOOPS version?
- is the error reproduceable or occurs randomly?
- Which additional modules do you use?
..(if you can force the problem can you disable the additional modules and try if it persists?)

Stuff like that ...
3
ReCkage
Re: Security Problem

  • 2004/5/24 21:29

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Ok here we go.

Running on Apache 1.3.29 (Unix)
Xoops 2.0.6

Modules
FAQ
Forum
MyADS
Polls
Links
ICalendar
Members
Downloads
Sections
Job Listings

Problem is reproducible every time F5 is hit.
4
tl
Re: Security Problem

  • 2004/5/24 23:51

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


Since the problem is not duplicable on this site (xoops.org), it has to do with the unofficial modules installed or your set up. I think it is more the first.

To find out which module is the culprit, you would have to uninstall the unofficial modules one-by-one and test F5 key after each uninstall.

Please keep us posted on which module is causing the problem, so the community and the developer could be advised of the security breach. Thank you.

5
ReCkage
Re: Security Problem

  • 2004/5/27 17:23

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Ok we have tracked the problem down to the private message feautre. Anytime someone on the site creates PM, after that point everyone starts becoming some one else. We have set the custom session time 0, that didnt help. We first thought in was a phpmyadmin module but the problem persisted. Does anyone know if the PM feature is affected by any other module.

Quote:

tl wrote:
Since the problem is not duplicable on this site (xoops.org), it has to do with the unofficial modules installed or your set up. I think it is more the first.

To find out which module is the culprit, you would have to uninstall the unofficial modules one-by-one and test F5 key after each uninstall.

Please keep us posted on which module is causing the problem, so the community and the developer could be advised of the security breach. Thank you.

6
m0nty
Re: Security Problem

  • 2004/5/27 17:49

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


custom session time wouldn't really stop that, but maybe turning custom session off completely might do, altho this is not a fix, especially if you require it on..

another thing to try would be a hack to remove the session id from the url..

i've seen it on the forum somewhere but can't remember where, i'm sure if u search you should be able to find it..

you could also stop the pm popup, that may cure it, a user would still know as the inbox would show a message number next to it.. providing that block is viewable on the screen they are in..
7
ReCkage
Re: Security Problem

  • 2004/5/27 17:51

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


i turned off custom sessions, and it still continues. How do you turn off the PM popup.
8
Mithrandir
Re: Security Problem

It sounds extremely weird that sending a PM should have this kind of effect on a page. I don't understand the reason for it and hence cannot see a solution, I'm afraid.
9
ReCkage
Re: Security Problem

  • 2004/5/27 17:56

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


We have been heavily testing since we found this problem. And today we finally realized it only happens when user send PMs.
10
m0nty
Re: Security Problem

  • 2004/5/27 18:12

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


it's not a problem i've heard reports of before..

altho i did myself experience this on my site once, and a few other people reported also that they were replying to a PM and 1 report from some1 refreshing when on somebody's profile page and it took them into that persons account, altho when they tried to view their account details it gave an error message and redirected back to their own account.

had no reports since of it happening since, but i have got the session id disabled in the url now.. that's the only thing i can think of what could probably cause this..

have u a network monitoring tool at all? maybe a sniffer program where you could monitor the packets to and fro, maybe something may show up in the headers, some kind of duplication or swapping of the session id when replying to PM's or viewing them.. clutching at straws i know, but i can't think of any other reasons..
(1) 2 3 4 ... 6 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

198 user(s) are online (128 user(s) are browsing Support Forums)

Members: 0

Guests: 198

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits