Random login glitch placed user as myself (Admin)

Celestialkey · February 24, 2010, 09:30:29 PM

Version: SMF 1.1.11
Theme: Using Default
Mods Installed:

SMF Links v1.8.2
Floating Bar Mod v1.0
Inline Attachments v1.0.4.2
Profile Comments v2.0
Custom BBCode v2.00
Show All Edits In Messages v1.0
Anti Spam Verification Questions v1.02
Syntax Highlighter v1.0

No logs show any errors around the time of the login/glitch.
No logs show any suspicious moderation activities

Problem Explanation: I'm still attempting to trace down the original poster, however a user tried to login and somehow managed to log in as a administrator with my account.
My apologies for the horrible link format below, however i'm "not allowed to post external links".
CelestialCoding (dot) com/index (dot) php?topic=1388.msg9390;topicseen#new

My moderation logs show that no moderator on the forum split a topic and modified the contents to mimic such a post.

Any ideas on how this could happen? If this is a fluke, it's quite scary since it has a chance of repeating.

I'll continue to look into it and validate what user actually managed this.
-Justin Sterling (Celestialkey)

wilsy · March 06, 2010, 08:42:52 AM

Hi all,

I've just had a member login and he was logged in as someone else who is a moderator at my site.

I've checked and they're both showing as having the same IP address.

Any ideas?

JBlaze · March 06, 2010, 08:45:16 AM

Quote from: wilsy on March 06, 2010, 08:42:52 AM
Hi all,

I've just had a member login and he was logged in as someone else who is a moderator at my site.

I've checked and they're both showing as having the same IP address.

Any ideas?

Maybe he's over his friends house, and his friend so happens to be one of your moderators...

wilsy · March 06, 2010, 10:03:52 AM

Quote from: JBlaze on March 06, 2010, 08:45:16 AM
Quote from: wilsy on March 06, 2010, 08:42:52 AM
Hi all,

I've just had a member login and he was logged in as someone else who is a moderator at my site.

I've checked and they're both showing as having the same IP address.

Any ideas?

Maybe he's over his friends house, and his friend so happens to be one of your moderators...

No, that was one of the first questions I asked. They dont know each other and they've never used the same PC.

At first I was a bit cynical and thought they were mistaken, until I checked the IP addys and confirmed with the mod that he didnt log on yesterday. Yet his account shows him logged in at 10:47am, the same time as the member says they logged in with their own credentials but were logged in as the moderator.

I was greatly concerned and when I came here and saw tis post I'm now convinced there's a security flaw in SMF

Arantor · March 07, 2010, 09:46:30 AM

Or guessed the password?

Or guessed the password to email address and did something with that?

Don't jump the gun and say it's a security hole since there's a better chance it probably isn't.

wilsy · March 07, 2010, 10:50:40 AM

Quote from: Arantor on March 07, 2010, 09:46:30 AM
Or guessed the password?

Or guessed the password to email address and did something with that?

Don't jump the gun and say it's a security hole since there's a better chance it probably isn't.

The site is for my professional association and the person who logged in and ended up in the moderators account was a 60 something techno noob. Trust me; he entered his own username and his own password and as a result ended up logged in as someone else.

Arantor · March 07, 2010, 11:37:36 AM

There's still a variety of reasons that could cause that without it being a security hole.

Shared server? Damaged table index on the members table?

wilsy · March 07, 2010, 11:43:22 AM

Quote from: Arantor on March 07, 2010, 11:37:36 AM
There's still a variety of reasons that could cause that without it being a security hole.

Shared server? Damaged table index on the members table?

Are you able to elaborate what you mean. How does a shared server affect this?

How would I identify a damaged member table index?

Arantor · March 07, 2010, 11:52:50 AM

Shared server is potentially a problem where you have multiple applications vying for access to the session handler.

Damaged index... no exact way to identify. From phpMyAdmin, have it optimize the members table; should rebuild the index.

Point is, don't just blindly assume it is a security hole. If you're certain it is, please see the Report a security issue page from the Development link on the top right. The devs can then contact you for further information, but really I'm not 100% sure it is a security hole at this point in time.

wilsy · March 07, 2010, 12:19:00 PM

Quote from: Arantor on March 07, 2010, 11:52:50 AM
Shared server is potentially a problem where you have multiple applications vying for access to the session handler.

Damaged index... no exact way to identify. From phpMyAdmin, have it optimize the members table; should rebuild the index.

Point is, don't just blindly assume it is a security hole. If you're certain it is, please see the Report a security issue page from the Development link on the top right. The devs can then contact you for further information, but really I'm not 100% sure it is a security hole at this point in time.

I thought the op had posted this in the bug reports section of the forum so the information is here if one of the devs wish to pick it up. I run a number of SMF forums and have been completely happy with them, in fact I still am

I would also advise that whilst your advice is sound it could also be a security flaw in SMF and certainly worth raising, although you seem very quick to dismiss it and the concerns of the op and myself. I don't want this to get into a who's right and who's wrong debate, it just disappoints me when there's no empathy for the op who must be worried sick that someone can (seemingly) access his admin account.

>>>>>>>>>> Steps down off soapbox

Arantor · March 07, 2010, 12:28:24 PM

I'm not saying there isn't a problem. I'm just saying it may not be a security issue in SMF itself. There's a whole massive other bunch of stuff it could be is all.

None of the mods seem to me to be obvious candidates for messing stuff around. What about the host being overly efficient on caching content and mis-serving content as a result?

Norv · March 09, 2010, 02:16:08 AM

Quote from: wilsy on March 07, 2010, 12:19:00 PM
Quote from: Arantor on March 07, 2010, 11:52:50 AM
Shared server is potentially a problem where you have multiple applications vying for access to the session handler.

Damaged index... no exact way to identify. From phpMyAdmin, have it optimize the members table; should rebuild the index.

Point is, don't just blindly assume it is a security hole. If you're certain it is, please see the Report a security issue page from the Development link on the top right. The devs can then contact you for further information, but really I'm not 100% sure it is a security hole at this point in time.

I thought the op had posted this in the bug reports section of the forum so the information is here if one of the devs wish to pick it up. I run a number of SMF forums and have been completely happy with them, in fact I still am

I would also advise that whilst your advice is sound it could also be a security flaw in SMF and certainly worth raising, although you seem very quick to dismiss it and the concerns of the op and myself. I don't want this to get into a who's right and who's wrong debate, it just disappoints me when there's no empathy for the op who must be worried sick that someone can (seemingly) access his admin account.

>>>>>>>>>> Steps down off soapbox

I fully agree, of course. And indeed, this board *is* monitored by developers. The security report is also a tool to use, if you suspect a security flaw.

About the issue at hand: they could also have the same IP if they're from the same general area (same ISP), and their ISP assigns them internal IPs - meaning they might connect to the world through the same external IP (one of the ISP's routers). Could that be the case?
They could also have the same IP if they both connected through a public proxy (then that proxy address would be recorded, since this is the only information that gets to SMF).
Of course, there are the other possibilities like connecting from an internet cafe (in an area where the other lives), that could also lead to the same external IP.
I am enumerating the possibilities that need checking and eventually be eliminated, I am not implying it *has* to be one of them.

Then, could you eventually let us know this IP? To eventually try to eliminate alternatives. If you consider this public board may be a less appropriate for posting your users IPs, the security report to check or a PM might be more suitable. As you want, really.

Then, do they have other IPs recorded in SMF? SMF usually records two addresses, do the other ones differ, or? Could be good to check out the other IPs recorded currently in your database for them. You may want to note however that IMHO, the probability that the IPs will indeed put us on the right track is low.

Orstio · March 09, 2010, 09:11:26 PM

Quote from: wilsy on March 06, 2010, 10:03:52 AM
Quote from: JBlaze on March 06, 2010, 08:45:16 AM
Quote from: wilsy on March 06, 2010, 08:42:52 AM
Hi all,

I've just had a member login and he was logged in as someone else who is a moderator at my site.

I've checked and they're both showing as having the same IP address.

Any ideas?

Maybe he's over his friends house, and his friend so happens to be one of your moderators...

No, that was one of the first questions I asked. They dont know each other and they've never used the same PC.

At first I was a bit cynical and thought they were mistaken, until I checked the IP addys and confirmed with the mod that he didnt log on yesterday. Yet his account shows him logged in at 10:47am, the same time as the member says they logged in with their own credentials but were logged in as the moderator.

I was greatly concerned and when I came here and saw tis post I'm now convinced there's a security flaw in SMF

Does either of them (or both of them) use a public access point? Can you ask them both what browser they each use?

Quote from: Arantor on March 07, 2010, 11:52:50 AM
Shared server is potentially a problem where you have multiple applications vying for access to the session handler.

Damaged index... no exact way to identify. From phpMyAdmin, have it optimize the members table; should rebuild the index.

Point is, don't just blindly assume it is a security hole. If you're certain it is, please see the Report a security issue page from the Development link on the top right. The devs can then contact you for further information, but really I'm not 100% sure it is a security hole at this point in time.

Since SMF has a custom session handler, challenge login, salted sha1 passwords, and logins being maintained by client-side cookie rather than by session, the possibility of this being anything server-side outside of SMF itself is so miniscule it is not even worth mentioning. If it did happen to be something non-SMF server-side, nobody would trip it by accident, at any rate.

So, this is either SMF or client-side, which means that something needs to change in SMF to stop this from happening in both cases.

wilsy · March 15, 2010, 04:41:10 PM

Apologies for the delay.

In my case both users live over 100 miles from each other and dont know each other.

emanuele · January 05, 2012, 07:46:27 AM

I can't see any way to have such a situation unless the data are messed up in the db for any reason...

Better idea anyone?

News:

Random login glitch placed user as myself (Admin)

Orstio