Not signed in (Sign In)

Categories

Vanilla 1.1.8 is a product of Lussumo. More Information: Documentation, Community Support.

Help keep Vanilla free:
Welcome Guest!
Want to take part in these discussions? If you have an account, sign in now.
If you don't have an account, apply for one now.

Vanilla: browsing closed vanilla forums without signing in

Bottom of Page

1 to 10 of 10

  1.  
    • CommentAuthorsullivat
    • CommentTimeJul 6th 2006
     # 1
    Problem: If your browser ignores redirects you can browse a closed forum without logging in.

    Description: If the browser doesn't have a login cookie and tries to browse a forum that only allows signed in users, Vanilla will send a redirect to the login page. If the browser ignores the redirect THE PAGE WILL STILL BE RENDERED!

    http://spacetuna.com/forum is a Vanilla 1 forum that requires users to sign in to browse the site. This link shows the HTTP header response of a page that should require login:

    http://web-sniffer.net/?url=http%3A%2F%2Fwww.spacetuna.com%2Fforum%2Fcomments.php%3FDiscussionID%3D541&submit=Submit&http=1.1&type=GET&ua=Mozilla%2F5.0+%28Macintosh%3B+U%3B+Intel+Mac+OS+X%3B+en-US%3B+rv%3A1.8.0.4%29+Gecko%2F20060508+Firefox%2F1.5.0.4+Web-Sniffer%2F1.0.24

    Solution: Don't just call header("Location: people.php?PageAction=SignOutNow"); to redirect. Send the redirect location, and then exit the script.
    •  
      CommentAuthorMark
    • CommentTimeJul 6th 2006
     # 2
    I could have sworn I called die() after the redirect...
    •  
      CommentAuthorMark
    • CommentTimeJul 6th 2006 edited
     # 3
    Okay, if anyone wants a fix for this before the next minor revision is released, open up library/People/People.Class.Session.php and change the Check method to look like this:

    function Check(&$Context) {
    if (($this->UserID == 0 && !$Context->Configuration['PUBLIC_BROWSING']) || ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN)) {
    if ($this->UserID > 0 && !$this->User->PERMISSION_SIGN_IN) $this->End($Context->Authenticator);
    header('location: '.AppendUrlParameters($Context->Configuration['SAFE_REDIRECT'], 'ReturnUrl='.GetRequestUri()));
    die();
    }
    }

    If you are still running your forum off subversion, just svn update and the fix will be in place.
    •  
      CommentAuthorBergamot
    • CommentTimeJul 6th 2006
     # 4
    Do search engine bots typically respect redirects?
    •  
      CommentAuthorMark
    • CommentTimeJul 6th 2006
     # 5
    I don't know...
    • CommentAuthoroplek
    • CommentTimeJul 7th 2007
     # 6
    Jul 6th 2006 was the last post?

    I came to these forums to report this bug as a major security risk. I downloaded Vanilla 1.1.2 yesterday (July 6th 2007 ironically enough), and still found these errors.

    Anyone using telnet, or a modified browser can sail past these redirects (I got one of our servers hacked with this hole once).

    In /settings.php, this shows up:

    if (!$Allowed) header('location:'.GetUrl($Configuration, 'index.php'));

    If you're not logged in (not allowed) you should get redirected to the main forum page.. else you get the settings page.
    It's easy to get into restricted places: (Real log, but with details changed to protect some of my info) ('forums' is the vanilla base folder)




    eltoro:~ monit$ telnet sito.up.calif.edu 80
    Trying 207.180.220.248...
    Connected to sito.up.calif.edu.
    Escape character is '^]'.
    GET /forums/settings.php HTTP/1.1
    Host: sito.up.calif.edu

    HTTP/1.1 302 Found
    Date: Sat, 07 Jul 2007 11:53:46 GMT
    Server: Apache/1.3.33 (Darwin) PHP/5.0.1 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l PHP/4.4.4
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    X-Powered-By: PHP/5.0.1
    Last-Modified: Sat, 07 Jul 2007 11:53:47 GMT
    Pragma: no-cache
    Set-Cookie: PHPSESSID=j0hnkf429c6coiejdoc7o7jr97; path=/forums/; domain=sito.up.calif.edu
    location: http://sito.up.calif.edu/forums/
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=utf-8

    fd2
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-ca">
    <head>
    <title>NINI Forums - Administrative Settings</title>

    ...
    ...




    Now, the folks above are correct, the solution is fairly simple:

    header("Location: place.com"); exit();

    I really suggest someone append that extra command. I apologize though if I don't have the time/energy to get in on the official development process myself.
  7.  # 7
    Interesting find, I'll drop Mark an e-mail to see what he thinks.
    •  
      CommentAuthorWallPhone
    • CommentTimeJul 7th 2007
     # 8
    For the standard vanilla settings pages, this just retrieves empty template pages--nothing in the panel, no options, no text other than what is defined in the language file.

    It could be possible some extension might reveal more than intended--and some POSTs get through if the writer is assuming the core will prevent access.

    Fix would be to replace line 43 of your-vanilla/settings.php to this:if (!$Allowed) {
    header('Location: '.GetUrl($Configuration, 'index.php'));
    exit();
    }
  9.  # 9
    Indeed.
    •  
      CommentAuthorMark
    • CommentTimeJul 7th 2007
     # 10
    This change has now been committed to the core.

1 to 10 of 10

  1.  
Add your comments
    Username Password
  • Format comments as
 
Back to Discussions Top of Page