[4244]SMF 2.0 RC3 - Obfuscation of session variable name breaks integration

Started by Orstio, April 01, 2010, 05:46:51 PM

Previous topic - Next topic

MultiformeIngegno

NAO YOU DESERVE A STATUE!!!



They've disabled the patch and everything works flawlessly!!!!!!!!!

P.S.: Now let's leave in peace the poor Nao ( :P ) and let's ask the other devs: we've discovered the problem, and insured it's not a SMF problem.. anyway is there a way to "avoid" this? Maybe a workaround that applies if SMF detects you have that configuration.. Are there many server with that patch installed?
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Quote from: MultiformeIngegno on June 14, 2010, 05:35:09 AM
OK man... you're right (as always). Also with SMF 2.0 RC2 it doesn't work.
You..........should have tried that......earlier.........  :o
It would have saved me several hours of comparing RC2 and RC3 code last week...

QuoteI've opened a ticket, hopefully they'll disable the patch or.. don't know.. they're always kind! :)
Just ask them to disable the two variables I mentioned. *Or* to tell you how to disable them via php.ini or .htaccess, because normally, their access level SHOULD allow you to disable them, but I tried and tried, and it never worked.
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Nao 尚

Quote from: MultiformeIngegno on June 14, 2010, 06:17:39 AM
NAO YOU DESERVE A STATUE!!!
Lulz!!1

QuoteThey've disabled the patch and everything works flawlessly!!!!!!!!!
Just the two variables, or the entire Suhosin?

QuoteP.S.: Now let's leave in peace the poor Nao ( :P ) and let's ask the other devs: we've discovered the problem, and insured it's not a SMF problem.. anyway is there a way to "avoid" this? Maybe a workaround that applies if SMF detects you have that configuration.. Are there many server with that patch installed?
Yes, Suhosin is pretty popular in the shared hosting world I believe. It's a way of closing some potential PHP holes I believe.
As for the cryptdocroot variable, I have no idea whether it's enabled by default or not.

The only way to fix it through SMF is to ini_set the two variables to Off. I've tested this on my server (which doesn't have them) and it didn't generate any issue, so it should be safe enough. As for security, I don't think disabling it would cause any trouble. Maybe disable them only if the loadSession() variable is called through SSI.php...? That may be a good solution, although not perfect (because with some code hacking, subdomains can be used on any SMF page, see noisen.com, so that wouldn't help SMF in case we implement the feature into v2.1 or v3.0.)
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 14, 2010, 07:24:15 AM
QuoteThey've disabled the patch and everything works flawlessly!!!!!!!!!
Just the two variables, or the entire Suhosin?

Quote
Hello Lorenzo,
Sorry to hear about this. The SuHosin configuration we were running was the default one, however we hadn't realised that the default configuration could cause this kind of problem.

We've gone ahead and disabled suhosin.session.cryptdocroot and suhosin.cookie.cryptdocroot now (as can be seen under the "suhosin" heading of this phpinfo() page: http://devotedhosting.com/phpInfo1492.php )

Hopefully this problem should now be resolved (Googling this issue does show a few people having a similar problem with subdomain script linking, when this setting is on). Please let us know if you need any other settings changed however :)

Many thanks!
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Good, good. BTW, googling devotedhosting brings me to a SMF beta tester's signature... So I can only guess they were indeed eager to help ;)

The bad news is that the setting is On by default, then. And if everything's the default setting, then it can't be turned off by SMF either. Maybe this will need a mention in an FAQ or something.

Norv, you're the assignee for the bug report -- how would you like us to deal with it?
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Norv

*reads around the suhosin doc and other reported cases on the net.*
Oh darn. Thank you Nao! This was a good one! :)
Thank you for the time put in it.

I don't think it's much SMF can do, it seems to me rather rare, I think. The domain/subdomains should be set up as different virtual hosts in the apache/lighttpd configuration files (so with different docroot); the session encryption key set in suhosin configuration to depend on docroot...
I do tend to think it should be documented, in our doc about SSI/other integrations, because afaics that's what it might interfere with.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Nao 尚

Yeah, it's sad that it can't be fixed once and for all within SMF.
I'll leave the rest to you.

I'm currently focusing on my remaining bugs. (And reading your PMs.... :P)
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

ziycon

Is this considered a candidate as a valid bug, as it's quite an involved issue and heavily server config related?

shawnb61

Closing old 2.0 bugs - 2.0 is in security fixes-only at this point.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Advertisement: