Author Topic: [1.7.1] sessionid in a URL=possible login visitor with the author's user account  (Read 69909 times)

0 Members and 1 Guest are viewing this topic.

TheOracle

  • Guest
Quote

I dont know what else to do to stop the session id from coming up in the link.


Well, if by re-installing 4images does not resolve the issue, you'd need to ask your ISP if the session.auto_start is set to off.

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
if I reinstall, will I lose everything, like mods and stuff?

TheOracle

  • Guest
Quote

if I reinstall, will I lose everything, like mods and stuff?


No, not necessarely. Not if you make a backup of your actual content of 4images. ;)

Offline pkitty

  • Newbie
  • *
  • Posts: 28
    • View Profile
Okay, will try it, gonna check my hosts support forum and see if anybody else is experiencing this problem. Thank you *hug* for your help and advice. :)

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
If you dont want to have session ids in you URLs, open includes/session.php and remove the following part:

Code: [Select]
    if ($this->mode == "get" && strpos($url, $this->session_id) === false) {
      $url .= strpos($url, '?') !== false ? $amp : "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

Note that after removing this, all users MUST have cookies enable to be able to login.
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search


Offline JensF

  • Addicted member
  • ******
  • Posts: 1.028
    • View Profile
    • http://www.terraristik-galerie.de
Is this working with 1.7, too???
Mit freundlichem Gruß
Jens Funk



-> Sorry for my bad English <-

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Is this working with 1.7, too???

This issue was introduced in 4images v1.7.1 (or atleast I've never heard anyone reporting it before that)

The answer is no, v1.7 does not have this issue. In fact this "patch" is based on the method used in v1.7 ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline JensF

  • Addicted member
  • ******
  • Posts: 1.028
    • View Profile
    • http://www.terraristik-galerie.de
If you dont want to have session ids in you URLs, open includes/session.php and remove the following part:

Code: [Select]
    if ($this->mode == "get" && strpos($url, $this->session_id) === false) {
      $url .= strpos($url, '?') !== false ? $amp : "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

Note that after removing this, all users MUST have cookies enable to be able to login.


is this the code fpr the 1.7 version???

Code: [Select]
if ($this->mode == "get" && !preg_match("/".SESSION_NAME."=/i", $url)) {
     $url .= preg_match("/\?/", $url) ? "$amp" : "?";
    $url .= SESSION_NAME."=".$this->session_id;
    }
Mit freundlichem Gruß
Jens Funk



-> Sorry for my bad English <-

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
no, you dont need this patch for v1.7, period.
Please pay attention to the headlines in "Bug Fixes" forum, if it only says [1.7] - its only for v1.7, if [1.7.1] - its only for v1.7.1 and if its [1.7 / 1.7.1] then its for both v1.7 and v1.7.1
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline Gorbushka

  • Pre-Newbie
  • Posts: 1
    • View Profile
I've patched sessions.php, but sessionid still present in URL. What am i do wrong?
Code: [Select]
    if (!isset($this->session_info['session_user_id'])) {
        return false;
    }
    if (!isset($this->session_info['session_ip']) || (isset($this->session_info['session_ip']) && $this->session_info['session_ip'] != $this->user_ip))
        {
         session_regenerate_id();
        $this->session_id = session_id();
         return false;
         }
thanks.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
This patch is not ment to remove sessionid in the url, it ment to prevent others loging with not their sessionid.
Sessionid in the url is a normal thing. Unless your cookies are blocked, it should only show sessionid first time you opened a page, after refresh it should be gone.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline tsimmons

  • Pre-Newbie
  • Posts: 4
    • View Profile
So, is there a fix available for 1.7.2 for the vulnerability suggested by Secunia? http://secunia.com/advisories/19908/ Or is 1.7.2 not really vulnerable?

Inquiring minds want to know ...  8O

Offline skunk

  • Pre-Newbie
  • Posts: 7
    • View Profile
thats about 1.7.1, what about 1.7.4 ? i cant find the lines where to patch.. and i need 2 remove the sessions from the urls .. what to do?
Thanks

Offline thunderstrike

  • 4images Guru
  • *******
  • Posts: 2.327
    • View Profile
8 steps need when ask question -

- PHP version (ACP - > phpinfo())
- mySQL version (ACP - > phpinfo())
- 4images version
- Post screenshot / URL
- Post code in BB Code (no need full file for code) or post attach file
- It doesn't work. What is say - what is do for no work
- Install MOD ? If so - please say (troubleshooting)
- Read FAQ ? Install Bug fixes ?