hi there is a very minor security issue with newbb2, but its a critical in nature.

By default when ever a user is browsing a forum the link comes up something like this

Quote:

Note the important thing in here is the PHPSESSID. the session id should never be seen first of all. take a case, you where browsing a topic and you found it intresting and you copied the entire link as shown above and passed it to your friend or third person. and if that person opens the link while you are logged in, then your session will get shared with him and he will be logged in by default with your id. This would be worse if a site admin commits this mistake.

Thus i would suggest to use POST method for session ids atleast.

hardly worthy of a post like this.. i thought it was somethin major..

security isn't just a webmasters problem.. the user has to take some responsibility aswell.. and have some common sense..

but anyway i don't see the phpsession id when i've logged id. i only ever see it when browsing and haven't logged in. notice you don't see it on this site either..

for future reference tho, if you ever do find a security issue, then posting it here on a public forum is NOT the way to go about it. sure we'd all like to know abt these issues, but posting a security issue in public gives hackers all the info they need.. next time can u please post them in a private message or email to the developers b4 making them public..

Quote:

urls can be tracked by referers systems, so isn't just an user problem/responsibility... or not?

[]s,

mikhail

http://www.php.net/manual/en/ref.session.php

true.. but this is not a bug with newbb2 and shouldnt have been posted as a bug report..

ADD:

the only time i ever seen sessionid in the url is when cookies have been blocked, so the session id can't be wrote to a cookie, therefore it passes it as a string in the url.. but XOOPS doesn't allow posting if cookies are blocked anyway..