| Author |
 Topic  |
|
jplecher
Starting Member
39 Posts |
 Posted - 21 October 2006 : 20:32:22
|
Hope I'm mistaken but I noticed a bug, not sure if this is overlooked. During the testing, I log in as a member and go to profile and I logged in as different member, I can see the first member profile and still have the first member logged in even though I change the username and password when I log in at the profile. Is that a flaw? It could be the cookie that allow me to not having to log in each time bec your have that feature to save your password on default?? 
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 21 October 2006 : 21:29:41
|
| are you talking about viewing a profile, or editing one? |
 |
|
|
jplecher
Starting Member
39 Posts |
Posted - 21 October 2006 : 21:52:54
|
viewing a profile.
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 21 October 2006 : 22:34:08
|
How is that a security concern? Member's can see other member's profiles.
Why do you say you have the other member logged in? Of course, if you didn't refresh the first page after logging out, that page will still show the first user as logged in. Do you know of any other web page that does not refresh automatically that behaves differently? And again, considering that members can see other members profiles, how is that a security issue? |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
jplecher
Starting Member
39 Posts |
Posted - 24 October 2006 : 18:48:37
|
quote:
Originally posted by ruirib
How is that a security concern? Member's can see other member's profiles.
Why do you say you have the other member logged in? Of course, if you didn't refresh the first page after logging out, that page will still show the first user as logged in. Do you know of any other web page that does not refresh automatically that behaves differently? And again, considering that members can see other members profiles, how is that a security issue?
Let me see how I can explain this... Let's say Bob logged on after he registered. Bob decided to click on the profile link at the top..
he has to log in again to see his profile. Now let's say Bob changed his mind and didn't logged out. Joe, a member comes along and enter his own name and password. He could see Bob's edit profile pop up. Now I know the chances of someone leaving the forum without logging off and someone happened to be living there or share the class together at the same time. However one can enter his or her name and password and then see the previous person that logged in and able to edit the profile page. Dunno if that's a concern. I just happen to noticed it. Just that whoever logged in and that on the profile log in pop up window with a different username should automatically log off the previous logged in for safety. Anyone see my point here? Maybe it's the air where I live... |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 24 October 2006 : 20:16:38
|
Rui. He is saying, that when you go to edit your profile, you can enter a valid username and password of any registered member, and be able to log in and edit that users profile.
So if you went to edit your profile, you could enter my user name and password, and it will still allow you to edit your profile.
At least, I think that's what he is saying. |
Support Snitz Forums
|
|
|
|
jplecher
Starting Member
39 Posts |
Posted - 24 October 2006 : 20:21:26
|
Thanks Davio Yes that is correct.
I tried to paste some screen capture but I can't.. Is there a special way to paste the graphic? Or is that feature turned off?? I had the Format mode set to prompt but ask for the URL.. scratching my head here  |
|
|
|
jplecher
Starting Member
39 Posts |
Posted - 24 October 2006 : 20:25:38
|
| I should add... even if you are not editing your profile but still logged in anywhere in the forum, any valid user can go in the profile page and can log in and edit your profile. |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 25 October 2006 : 04:13:06
|
And you're 100% certain that it's Bob's profile Joe can edit by doing this and not his own? If Joe tries to edit Bob's profile and enters his own username and password he should see an invalid username/password error. Have you made any changes to your forum's code, in particular to pop_profile.asp?
|
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
Edited by - Shaggy on 25 October 2006 04:16:10 |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 25 October 2006 : 04:59:27
|
| And what version of the forums are you using? |
Support Snitz Forums
|
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 25 October 2006 : 05:02:36
|
Are you using Firefox? Are you saving form field contents? The only thing close to this that I can think of, is if I edit my profile and my settings for the username/password field get saved by Firefox, then if I edit another person's profile, my username/password get automatically filled into their username/password field. This is a bug/feature/whatever of Firefox.
As for anyone being able to login to edit their own profile, and then being able to edit your profile, that's just not possible. The cookie that is used to save your login information is clientside. There is no way for another user to edit your profile, unless they know your username/password, or they do it from your computer while you are logged in. |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 25 October 2006 : 06:41:15
|
quote:
Originally posted by RichardKinser
Are you using Firefox? Are you saving form field contents? The only thing close to this that I can think of, is if I edit my profile and my settings for the username/password field get saved by Firefox, then if I edit another person's profile, my username/password get automatically filled into their username/password field. This is a bug/feature/whatever of Firefox.
And it bugs the heck out of me! Editing some one else's profile and the user name and password of my login is filled in. I believe it is done so, because of the field names and possibly the name of the form, matches the same as the form field used to log in.
Could also cut down on the numerous log ins needed, even after logging into the forum.
Log in to forum, then afterwards, log in to edit profile, log in to delete topics, etc.. Log in, log in, log in!!! 
That's 2 things on my to-do list for next version.  |
Support Snitz Forums
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 25 October 2006 : 06:44:17
|
all the extra logins are there mainly incase you use the forum on a shared machine, and it is there to stop someone else from coming along and editing your profile  (security feature) |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 25 October 2006 : 07:12:58
|
Oof! I'll banter with you guys in the dev forums!  |
Support Snitz Forums
|
|
|
|
Topic |
|
Topic Locked
