Author Topic: Users are being logged in as Admin. How? (Read 10867 times)

lyndie · « **on:** August 02, 2006, 03:05:46 AM »

I just received an email from one of my registered users telling me that she had logged in as me. She had access to the control panel. Thank God she was honest and told me about it right away. But how does this happen? I have version 1.7.2 and I do NOT want to deal with a manual upgrade. My server has Fantastico installed which normally carries all upgrades. Is 1.7.3 going to be included in Fantastico soon? I know nothing about rss feeds and the other undates in the new build. I really just need to know how to fix this incorrect login problem asap. I have over 1200 registered users in this site.

Please help
Thank you

V@no · « **Reply #1 on:** August 02, 2006, 03:19:36 AM »

Quote from: lyndie on August 02, 2006, 03:05:46 AM

Is 1.7.3 going to be included in Fantastico soon?

Its a wrong place to ask such question. You'd better ask the Fantastico support center...

lyndie · « **Reply #2 on:** August 02, 2006, 03:50:31 AM »

Is that who I ask about 4images logging regular users as an admin? I dont think so. This is a serious problem and I ask for a HINT of what I need to do to fix it. Thanks anyway. I have 7 installed....will take them all out.....

V@no · « **Reply #3 on:** August 02, 2006, 05:07:01 AM »

Yes, you are right, I'm sorry.

The only known possible way to get logged in as different member, is get ahold an active sessionid (for example by visiting a fresh url to the gallery with sessionid attached to it) But even though, you must be on the same IP as the member started the session. So, never give anyone a link with sessionid in it!

So, unless you could reproduce this, there is nothing we could work with...sorry.

jordyyy · « **Reply #4 on:** August 02, 2006, 07:08:37 PM »

Actually with 1.7.2 I had that problem if an admin cut and pasted a url with the session id info.

Didnt' matter what ip the end user was on it logged them in as that admin.

I did the security mods and it seemed to fix it.

the upgrade to 1.7.3 is easy, there is a txt file to follow, not a difficult thing ( I am not a geek and things are usually difficult for me)

V@no · « **Reply #5 on:** August 02, 2006, 07:20:34 PM »

Quote from: jordyyy on August 02, 2006, 07:08:37 PM

Actually with 1.7.2 I had that problem if an admin cut and pasted a url with the session id info.

Didnt' matter what ip the end user was on it logged them in as that admin.

I did the security mods and it seemed to fix it.

This issue was fixed in v1.7.2. and there is no security fix for v1.7.2 that fixes this...are you sure you had v1.7.2 and not v1.7.1? (not that its metter now, just curious

)

jordyyy · « **Reply #6 on:** August 03, 2006, 02:37:37 AM »

It could have been 1.7.1 not 100%

I just checked though in 1.7.3 and it is showing the session id in url's. I just delete the session id stuff from any pasted url's but if there is a fix to not show that in the url it would be safer.

So Veno do you happen to know off hand what/where that mod/fix is?

I just found the fix for older version so I opened my sessions.php in 1.7.3 (was in the includes dir)

and the code matches the security fix for older

Quote

$user_id = ($this->read_cookie_data("userid")) ? intval($this->read_cookie_data("userid")) : GUEST;

So in 1.7.3 why is the session id still showing up in the url? I am blonde and old so be nice please

V@no · « **Reply #7 on:** August 03, 2006, 03:38:25 AM »

session id in the url is NOT a security risk as it is. session id is necesery for 4images to operate properly. it only showed first time visited the page or if cookies are blocked.

jordyyy · « **Reply #8 on:** August 03, 2006, 08:26:50 AM »

Thanks Veno! YOU ROCK!

lyndie · « **Reply #9 on:** August 05, 2006, 12:54:39 AM »

First of all I NEVER give anyone a URL with session ID in it. So not sure how they got logged in as me. I have done the upgrade, after losing an entire test site first lol. But so far everything seems to be working fine. Except on one domain I have a strange problem. There have been a few users download and the site closes. They then have to log back in. But I can't find a fix for this. Any ideas?

V@no · « **Reply #10 on:** August 05, 2006, 01:54:45 AM »

they must have blocked cookies, or something like that...do you experience such issue? if not, its obviously the visitor's problem...

P.S. just in case you or they didnt know, in order to stay logged in after closing the browser, you must tick the checkbox "Remmeber me" when loging in.

lyndie · « **Reply #11 on:** August 05, 2006, 06:41:46 AM »

Thank you V@no, yes I did know about ticking the remember me box ... and as far as it happening to me, no it hasn't yet. I've tried a few times to see if it would close my browser but as of yet it hasn't. Its only on this domain that I have that problem. All the others are working as they should. Strange is all I can say.
Thanks again..appreciate it.

4images Forum & Community

News:

Author Topic: Users are being logged in as Admin. How? (Read 10867 times)

lyndie

Users are being logged in as Admin. How?

V@no

Re: Users are being logged in as Admin. How?

lyndie

Re: Users are being logged in as Admin. How?

V@no

Re: Users are being logged in as Admin. How?

jordyyy

Re: Users are being logged in as Admin. How?

V@no

Re: Users are being logged in as Admin. How?

jordyyy

Re: Users are being logged in as Admin. How?

V@no

Re: Users are being logged in as Admin. How?

jordyyy

Re: Users are being logged in as Admin. How?

lyndie

Re: Users are being logged in as Admin. How?

V@no

Re: Users are being logged in as Admin. How?

lyndie

Re: Users are being logged in as Admin. How?