I hope this is in the right section-I'd appreciate some feedback..I received the following two PM's from 2 seperate members of my forum:
LainaaHi, I was talking to Ashley, XXXXXXXXX, and I sent her a link from "Canada Discus" forum through MSN. She clicked on the link, and it said log in, and only asked for the password and it already had her name in the username box. She put in her password and she was on my account. She logged out, I went on the site and it said log in, my username was in the username box, and I typed my password and I was in XXXXXXXXX's account.
Whats going on, the site sure doesn't have great security.
LainaaI was chatting with a friend who is also a member on the forum and it seemed something got crossed along the lines and I thought I should let you know.
The member in question directed me to a specific thread, giving me the link that was in his browser's address bar. The forum software then asked me to log in (as far as I knew, I was already logged in). So, I entered my username and password, and the forum software proceeded to tell me that I was logged in as my friend.
I tried to see if I actually could go into his settings and change things (see how far this goes) and it just asked me to log in again, so I did, and it logged me back in as my friend. As soon as I manually logged out and logged back in as myself, it told me that I did not have permission to modify that member group.
Just a head's up in case this is actually a problem. Hopefully it's just a glitch and not a real security issue.
should be posted ............. SMF Development > SMF Coding Discussion
Lainaa
Think you've found some minor typos or - don't say it - bugs?
http://www.simplemachines.org/community/index.php?board=60.0
Exchanging session ID's is a potential security risk. SMF will hide session ID's from the URL whenever possible. However if PHP isn't configured properly or if the users' browser doesn't support cookies, it has no other way than to add the session ID to the URL. If you can give a link to your phpinfo, I can check, if you like, whether your PHP is configured to hide the session ID's by default.