4images Forum & Community
4images Help / Hilfe => Bug Fixes & Patches => Topic started by: V@no on July 16, 2005, 07:59:11 PM
-
If you are logged in to your 4images and give a link to someone, with sessionid attached to it (http://example.com/4images/index.php?sessiond=3DwRG-ef4YHhp3xIv3GOMnQ8Qtd) then there is a chance, that the visitor who visited that link may get automaticaly logged in with your account. This issue was introduced in 4images v1.7.1 (or atleast I've never heard anyone reporting it before that).
Here is a beta patch. Open includes/sessions.php find: if (!isset($this->session_info['session_user_id'])) {
return false;
}Insert below: if (!isset($this->session_info['session_ip']) || (isset($this->session_info['session_ip']) && $this->session_info['session_ip'] != $this->user_ip))
{
session_regenerate_id();
$this->session_id = session_id();
return false;
}
and to ensure this to work on PHP older then v4.3.2, insert at the end of includes/functions.php just above closing ?> this:if (!function_exists("session_regenerate_id"))
{
function session_regenerate_id()
{
return session_id(md5(uniqid(microtime())));
}
}
As of now, this patch is in stage "beta", untill more people test it, on more then one computer ;)
-
Appears to work OK unless the user is viewing via the AOL browser which seems to change the IP address from one page to another. The script would then log the user out as the IP address does not match the one at login.
Disabling the [MOD] and writing session data to a temporary file, the IP addresses logged during one 5 minute session (from one AOL user) were:
195.93.21.101
195.93.21.70
195.93.21.34
195.93.21.104
195.93.21.71
195.93.21.103
195.93.21.71
195.93.21.101
195.93.21.71
195.93.21.70
195.93.21.101
195.93.21.70
195.93.21.65
As you can see, the first three numbers stay the same, but searching the web suggests that this cannot be relied upon.
Situation appears to be a known problem with other forums with session logging using IP addresses. See:
http://www.aota.net/forums/archive/index.php/t-16830.html and:
http://forum.statcounter.com/phpBB2/viewtopic.php?p=25851&highlight=&
-
That is correct, but that only will affect clients who's cookies are blocked. So, I dont see much problem with this ;)
P.S. I'm not going to mention how much I'm sorry for those who's using AOL and that for a long time I've been trying to figure out what kind of unrealistic power would make one use it in the first place...
-
Funktioniert bei mir nicht.... :(
-
V@no,
Could you please look in the post above in the top thread about the security fix and see my question, I am having this error even though I have implemented the fixes...
-
Which PHP and mySQL version do you currently use ?
-
php ver 4.3.11
my sql 4.0.23~standard
-
can you reprodice it at any time?
-
php ver 4.3.11
Did you tried PHP v4.4.0.0 ? PHP.net already reported some sessions issues handling due to bad developping method count. ;)
-
No, this is what my host offers, I cant upgrade it or anything. I guess I will have to delete the album altogether then if this cant be resolved? I cant have any of the members haphazardously sending an email and somebody logging into their account.
-
can you reprodice it at any time?
-
I cant have any of the members haphazardously sending an email and somebody logging into their account.
That's a different issue though. What is the exact error message that returns you ?
-
Not an error, if somebody sends me a link in an email....when I click on the link, I am logged into their account and can change their info or what ever....No errors. Make sense?
-
Make sense?
If you mean that the problem you explained above is actually what 4images faces from your end, then - yes - it is an error and a massive one I might add. 8O
-
wahtoh...LOL....not a good thing and I knew that. I am going to have one of my members try it again, if I click on the link and get logged into their account, even with the fixes that were suggested here, I have no choice...I dont know what else to do to stop the session id from coming up in the link.
-
I dont know what else to do to stop the session id from coming up in the link.
Well, if by re-installing 4images does not resolve the issue, you'd need to ask your ISP if the session.auto_start is set to off.
-
if I reinstall, will I lose everything, like mods and stuff?
-
if I reinstall, will I lose everything, like mods and stuff?
No, not necessarely. Not if you make a backup of your actual content of 4images. ;)
-
Okay, will try it, gonna check my hosts support forum and see if anybody else is experiencing this problem. Thank you *hug* for your help and advice. :)
-
If you dont want to have session ids in you URLs, open includes/session.php and remove the following part:
if ($this->mode == "get" && strpos($url, $this->session_id) === false) {
$url .= strpos($url, '?') !== false ? $amp : "?";
$url .= SESSION_NAME."=".$this->session_id;
}
Note that after removing this, all users MUST have cookies enable to be able to login.
-
http://www.4homepages.de/forum/index.php?topic=9506.0
-
Is this working with 1.7, too???
-
Is this working with 1.7, too???
This issue was introduced in 4images v1.7.1 (or atleast I've never heard anyone reporting it before that)
The answer is no, v1.7 does not have this issue. In fact this "patch" is based on the method used in v1.7 ;)
-
If you dont want to have session ids in you URLs, open includes/session.php and remove the following part:
if ($this->mode == "get" && strpos($url, $this->session_id) === false) {
$url .= strpos($url, '?') !== false ? $amp : "?";
$url .= SESSION_NAME."=".$this->session_id;
}
Note that after removing this, all users MUST have cookies enable to be able to login.
is this the code fpr the 1.7 version???
if ($this->mode == "get" && !preg_match("/".SESSION_NAME."=/i", $url)) {
$url .= preg_match("/\?/", $url) ? "$amp" : "?";
$url .= SESSION_NAME."=".$this->session_id;
}
-
no, you dont need this patch for v1.7, period.
Please pay attention to the headlines in "Bug Fixes" forum, if it only says [1.7] - its only for v1.7, if [1.7.1] - its only for v1.7.1 and if its [1.7 / 1.7.1] then its for both v1.7 and v1.7.1
-
I've patched sessions.php, but sessionid still present in URL. What am i do wrong?
if (!isset($this->session_info['session_user_id'])) {
return false;
}
if (!isset($this->session_info['session_ip']) || (isset($this->session_info['session_ip']) && $this->session_info['session_ip'] != $this->user_ip))
{
session_regenerate_id();
$this->session_id = session_id();
return false;
}
thanks.
-
This patch is not ment to remove sessionid in the url, it ment to prevent others loging with not their sessionid.
Sessionid in the url is a normal thing. Unless your cookies are blocked, it should only show sessionid first time you opened a page, after refresh it should be gone.
-
So, is there a fix available for 1.7.2 for the vulnerability suggested by Secunia? http://secunia.com/advisories/19908/ Or is 1.7.2 not really vulnerable?
Inquiring minds want to know ... 8O
-
thats about 1.7.1, what about 1.7.4 ? i cant find the lines where to patch.. and i need 2 remove the sessions from the urls .. what to do?
Thanks
-
@skunk:
http://www.4homepages.de/forum/index.php?topic=8895.msg56542#msg56542