Author Topic: [1.7.1] sessionid in a URL=possible login visitor with the author's user account  (Read 67503 times)

0 Members and 1 Guest are viewing this topic.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
If you are logged in to your 4images and give a link to someone, with sessionid attached to it (http://example.com/4images/index.php?sessiond=3DwRG-ef4YHhp3xIv3GOMnQ8Qtd) then there is a chance, that the visitor who visited that link may get automaticaly logged in with your account. This issue was introduced in 4images v1.7.1 (or atleast I've never heard anyone reporting it before that).

Here is a beta patch. Open includes/sessions.php find:
Code: [Select]
    if (!isset($this->session_info['session_user_id'])) {
        return false;
    }
Insert below:
Code: [Select]
    if (!isset($this->session_info['session_ip']) || (isset($this->session_info['session_ip']) && $this->session_info['session_ip'] != $this->user_ip))
    {
      session_regenerate_id();
      $this->session_id = session_id();
      return false;
    }

and to ensure this to work on PHP older then v4.3.2, insert at the end of includes/functions.php just above closing ?> this:
Code: [Select]
if (!function_exists("session_regenerate_id"))
{
  function session_regenerate_id()
  {
    return session_id(md5(uniqid(microtime())));
  }
}


As of now, this patch is in stage "beta", untill more people test it, on more then one computer ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline boatman9999

  • Jr. Member
  • **
  • Posts: 50
    • View Profile
Appears to work OK unless the user is viewing via the AOL browser which seems to change the IP address from one page to another. The script would then log the user out as the IP address does not match the one at login.

Disabling the [MOD] and writing session data to a temporary file, the IP addresses logged during one 5 minute session (from one AOL user) were:

195.93.21.101
195.93.21.70
195.93.21.34
195.93.21.104
195.93.21.71
195.93.21.103
195.93.21.71
195.93.21.101
195.93.21.71
195.93.21.70
195.93.21.101
195.93.21.70
195.93.21.65

As you can see, the first three numbers stay the same, but searching the web suggests that this cannot be relied upon.

Situation appears to be a known problem with other forums with session logging using IP addresses. See:

http://www.aota.net/forums/archive/index.php/t-16830.html   and:
http://forum.statcounter.com/phpBB2/viewtopic.php?p=25851&highlight=&


Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
That is correct, but that only will affect clients who's cookies are blocked. So, I dont see much problem with this ;)

P.S. I'm not going to mention how much I'm sorry for those who's using AOL and that for a long time I've been trying to figure out what kind of unrealistic power would make one use it in the first place...
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline bullseye

  • Newbie
  • *
  • Posts: 16
    • View Profile
Funktioniert bei mir nicht.... :(

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
V@no,

Could you please look in the post above in the top thread about the security fix and see my question, I am having this error even though I have implemented the fixes...

TheOracle

  • Guest
Which PHP and mySQL version do you currently use ?

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
php ver 4.3.11

my sql 4.0.23~standard

Offline Xyu BAM

  • Full Member
  • ***
  • Posts: 145
    • View Profile
can you reprodice it at any time?

TheOracle

  • Guest
Quote

php ver 4.3.11


Did you tried PHP v4.4.0.0 ? PHP.net already reported some sessions issues handling due to bad developping method count. ;)

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
No, this is what my host offers, I cant upgrade it or anything.  I guess I will have to delete the album altogether then if this cant be resolved? I cant have any of the members haphazardously sending an email and somebody logging into their account.

Offline Xyu BAM

  • Full Member
  • ***
  • Posts: 145
    • View Profile

TheOracle

  • Guest
Quote

I cant have any of the members haphazardously sending an email and somebody logging into their account.


That's a different issue though. What is the exact error message that returns you ?

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
Not an error, if somebody sends me a link in an email....when I click on the link, I am logged into their account and can change their info or what ever....No errors. Make sense?

TheOracle

  • Guest
Quote

Make sense?


If you mean that the problem you explained above is actually what 4images faces from your end, then - yes - it is an error and a massive one I might add.  8O

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
wahtoh...LOL....not a good thing and I knew that. I am going to have one of my members try it again, if I click on the link and get logged into their account, even with the fixes that were suggested here, I have no choice...I dont know what else to do to stop the session id from coming up in the link.