| Author |
 Topic  |
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
 Posted - 03 January 2005 : 04:30:37
|
Firstly, I am not a Moderator or administrator of the board in question, which is running the Snitz forum 2000 software (not sure of version), and so I shouldn't post the address of the forum where this even occured.
Secondly, I am a normal member of this forum, and on registration I discovered this bug, and had a subsequent PM discussion with an Administrator of the site, which I am posting here for clarity of the situation, where names have been changed to protect privacy and rank.
Thirdly, I apologise if this is the wrong forum to post in, but I felt it was the best match for the issue. Likewise, I apologise if this issue has already been covered, but if it has, I can't find it.
OK, the PM's regarding the security bug.....
quote:
OK. I'll give you the full story from scratch, and you can take what you need.
MrsModerator is a personal friend of mine, and has at some point in the recent past used my computer to log into this site. I know that she did not use the 'remember me' function, because when I have occasionally visited the site to read a particular thread in the forums regarding MrsModerators book, she has not been logged in, and at this point I didn't even have my own account.
Early in the morning, 1st January, I Googled for the thread. I visited the boards from the link on google, and there was as to be expected, nobody logged in. I know this as I clicked the reply link and was told that I needed to register, as you'd expect.
Anyway, I entered my details, and registered as NewMember1. When I clicked the link/button to submit my details, I was redirected to the 'verification email sent' page, and asked to check my email inbox. As I opened a new window and browsed to my email, the internet explorer page open to the 'verification email' page changed, and when I looked, I was logged on as MrsModerator on a page that listed problems with my registration details in every field. Given that I am now registered with those exact details, from that email, I suspect that this page wasn't referring to my details, but instead was referring to a submittal that didn't exist.
On seeing this, I was quite shocked. My only theory is that the page that loaded called on a cookie placed in my temporary internet files from when Jan logged in, even though she hadn't used the remember me function.
I went to the Moderators forum with MrsModerator's account, (I did not read any messages, and don't remember any post titles. It was none of my business. I'm more honest than that, and I was out to explore and prove a vulnerability so that I could report it accurately.), and I posted a message with a title along the lines of 'problem with my account/test' and giving a brief, vague content, explaing that I (IE, MrsModerator) would delete it later, as I didn't want to get MrsModerator into trouble. After all, this was not her fault, I didn't know at the time why it had happened, and I didn't want her to get into trouble for nothing. I posted for two reasons. First, to see if it was possible, and secondly, to prove that the problem existed.
After that, I immediately logged out of MrsModerator's account, and logged into my own before posting a message on the thread I had originally set out to post to - the one I had Googled for - in the Off-Topic Forum.
I then logged out of my account, closed the window, and came back to the site. I was still logged out (under my own name). I had not checked 'remember me' before I had left.
I searched my temporary internet files for links in *********.org.uk (URL removed for privacy of site. I am not a staff member) and found many, so I tried them out one by one.
Eventually, I opened...
http://*********.org.uk/forums/register.asp?mode=DoIt
...from my temporary internet files which brought me to the registration error page again, with one subtle difference, I was logged in as myself again. I immediately logged out, and to check I wouldn't be logged back in when I next clicked a link or refreshed, I clicked the profile link. I was told I needed to register, proving that I was logged out.
I then went back to the file "register.aspmode=DoIt" in my temporary internet files which points to http://*********.org.uk/forums/register.asp?mode=DoIt , I opened it, and it brought me back to the registration error page, with me being logged in as myself.
The only explanation I can think of is that this link, and this link alone, loads login details from a cookie placed on the local machine during the last standard (non-remembered) login, and logs in the last user to access the site. Obviously, this is a security hazard, for example if a moderator, administrator, or user were to use a friends or a public computer to access the site.
I realise that some people being told this may consider that it wasn't a problem untill I brought it up, but I trust you will understand that I brought this up because it is always possible that someone else less honest than myself might otherwise work it out at a later date and wreak havoc with it. Obviously, that's not something I'd like to see.
The URL that I believe to be causing the problem is the one I mentioned, http://*********.org.uk/forums/register.asp?mode=DoIt , and as I said, it seems this link misbehaves by logging in the last user to visit the forums from a given machine.
Hope this helps.
The reply was as follows...
quote:
Hi - thanks for the detailed explanation. It sounds like a caching issue where a page that logs someone in (such as register.asp) can just be refreshed / recalled from the temporary internet files cache and made to log someone in again.
Although, for this particular one I would have expected it only to work if the user registered on that particular computer - I dont know if that was the case or not?
Anyway, I didnt write the forum software - and dont really have much time to look into it further so I`ll just tell Administrator1 to warn the Moderators that they should avoid logging into the forums from "strangers" computers (ie. internet cafes etc..).
Thanks for making me aware of it anyway!
Cheers,
Administrator2
My reply...
quote:
I'm afraid I don't know whether MrsModerator1 first registered on my machine or not. I'd have to ask. However, it was quite some time ago when MrsModerator registered with this forum, and my machine has undergone a full format within the last 4 months, and the temporary internet files have been cleared a number of times, both from Internet Explorer, and by visiting c:/documents and settings/%user%/local settings/temporary internet files/content.IE5 and deletinhg files and folders directly. If this is where the previous login information is coming from, MrsModerator1 must have last logged in from my machine since I last cleared these files. This is what leads me to believe that this is a cookie issue, rather than an issue which can only arise when the user logged in by this bug has originally registered from a particular local machine.
I did look for information on this but didn't find any. I apologise if I missed something, but giventhat I managed to post with moderator permissions, I think it's pretty serious. I also apologise if this is the wrong place to post this, but I did look at all the forums, and felt this one was best suited. |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 03 January 2005 : 05:50:00
|
| you think what is pretty serious ? I can't understand what you are trying to say, it doesn't make sense, what are you saying the trouble is ? |
 |
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 03 January 2005 : 06:26:51
|
I guess the PM conversation in the quotes above isn't as clear as I thought it was without context.
In short, a moderator of I site I was occasionally visiting (but not registered on) running this forum software logged onto her account on the site from my computer some time ago. She did not use the "remember me" option.
I finally got around to registering on the site, and during the registration process, just after submitting my information, I somehow got logged onto her moderator account. Tracing through my temporary internet files, the URL that logged me onto her account was the one I mentioned above repeatedly. Having registered my own account on that site, and after a little experimentation, it appears that the link mentioned in my original post logs on the last user to log in from the machine from which the link is visited. If that happens to have been a moderator, or an administrator, it obviously could present a serious problem.
Does that make it any clearer? |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 03 January 2005 : 06:38:50
|
| Incidentally, the administrator of the site on which this occured Just got back to me and said that he/she had tried to reproduce the issue with no sucess. Each time I visit via this URL however, it logs me in. |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 03 January 2005 : 06:51:50
|
OK. lol. For anyplace I've used 'remember me' read 'save password'
Also, having been told that there was trouble reproducing the event, I checked that I could still reproduce the event on my computer. I could.
I've just cleared my temporary internet files and cookies, logged in and out a few times, and tried to reproduce the event. It seems that I can't anymore.
Unfortunately, this leaves me with the horrible sitation of stating that there is an issue of some sort, related to security and logging in of the last user to visit a snitz forum, related to register.asp?mode=DoIt, but I can't give any sure way of reproducing the problem, nor any clue as to how to try. All I can say is that something potentially nasty happened security-wise, but isn't happening now that I've cleared my internet cache once more. |
It's hard to be religious when certain people are never struck by bolts of lightning |
Edited by - crimsone on 03 January 2005 07:12:35 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 03 January 2005 : 08:51:14
|
| I guess you should not worry too much. It could even be a cached page, but quite likely, if you tried doing something from there, as a moderator, you would find out that you couldn't. It happens, sometimes, but it really is not an issue, since you can't do anything as the "cached" user. Also, there are not that many situations where two different users login from the same computer. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 03 January 2005 : 09:38:16
|
The reason I doub't it was a cached page is that I could acctually see and in fact posted in a moderator only forum, with a moderator account. It was only after registration that this account logged in, and onvce I had logged in with my own account, visiting the registration link logged me in automatically as the last user of the forum.
This can only have been some sort of bug, but perhaps it was a rare occurance. |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 03 January 2005 : 13:27:59
|
| How do you know she never used the "Remember me" option when she logged in? |
Support Snitz Forums
|
|
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 03 January 2005 : 14:21:30
|
I know this feature was not used for three reasons.
One, is that I had visited the forum a large number of times previously before this occured, and before registering. on no occasion did I ever get logged in as her, which would have happened if it had been set to remember the login.
Two, is that the moderator (and evidently, personal friend) is savvy enough to realise that in a position of responsibility on the forum, having the password remembered is a very bad idea when logging in from someone elses computer.
Three is that on asking her, she confirms what was already a 99.9% certainty that she didn't use the feature. |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 03 January 2005 : 16:51:44
|
Ok. Well, here are some of my thoughts on it:
1 - For you to be able to log back on as that moderator and make a sucessful post, meant her cookie was still on the computer.
2 - She might have accessed the forum using a different url? Do they have more than 1 url to access the forum or site? If they do, she could have logged in under another url, didn't log back out, and when you got redirected on the registration page, it sent you back to the url she logged in with. Thus reading her cookie.
3 - The admin might have changed the forum cookie location since that time. That could also be a possibility. |
Support Snitz Forums
|
|
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 04 January 2005 : 02:54:22
|
I'm now reproucing the issue with my own account. However, on this occasion, I've logged in and out multiple times, sometimes using the save password feature, and other times not. Still the only link logging me back in without my asking to be logged in is register.asp?mode=doit
This is infact the page I was re-directed to. As to why I was redirected to the page I was already on during registration, I can only guess it was a meta-refresh or something along those lines. I seriously doubt that that was the fault of the forum code.
I don't know enough about the way the forum works, or how it sets cookies to be able to undersand why after clearing my internet cache the issue stopped altogether, but now it occurs again. |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
|
crimsone
Starting Member
United Kingdom
8 Posts |
Posted - 04 January 2005 : 03:06:36
|
The software version is 3.4.04, now that I know.
Is it normal behaviour for the /forum/register.asp?mode=DoIt link to log in a user from information on the computer being used, while no other link does so?
As far as I am aware there is only one link to the forums, but I wouldn't know for sure. Unless of course you count /forum/ and /forum/default.asp , but both would obviously lead to the same registration URL. I don't theink there's any more information I can personally give now. For any other info, I'd have to ask the forum admin. |
It's hard to be religious when certain people are never struck by bolts of lightning |
|
|
| |
Topic |
|
|
|
Topic Locked
