[4244]SMF 2.0 RC3 - Obfuscation of session variable name breaks integration

Started by Orstio, April 01, 2010, 05:46:51 PM

Previous topic - Next topic

Arantor


Nao 尚

Oh... Good then. I don't think you told me 'bout that ;)

So, back to the session_var issue now...

Could more people please confirm that my own version of the SSI file is working? (And again no, it's not something in SSI.php that magically fixes it... None of the changes are related to sessions and login.)
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Team... We should be discussing the possibility of moving SMF2 to my own subdomain-handling system, shouldn't we?
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Arantor

If it works like it sounds like it should and doesn't add any security issues (i.e. makes it easier to grab the session id, or permit session fixation) I'm all for it since this is a blocker for one project (though a distant one, plenty of stuff to worry about before this becomes an actual issue)

MultiformeIngegno

Also Sinan should be interested to this, I've noticed that it affects also simpleportal in standalone mode with the portal in another subdomain (every time you try to login from the portal you get the 'password wrong' error)!
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Norv

*starts to read all the thread, but decides to ask meanwhile, just in case*

Did we discover what exactly was/were the issue(s) here? :)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Nao 尚

So far, no...
What we have is:
- Plenty of things were tried, without success
- We know nearly for sure that it works on noisen.com
- I've analyzed the code differences between RC2 and RC3 and couldn't find anything suspicious related to sessions,
- I've analyzed pretty much all of the code differences between noisen and RC3 (this took me easily 3 hours today), and unfortunately, didn't find anything either. (In the process I made a few fixes for other things, which I committed to rev 9959 I believe.)

I've done other changes I haven't committed, in the hope that they could be related, but first of all I'll have to install a new subdomain for use with my clean copy of rc3. I'm also waiting on feedback from Lorenzo (I asked him for FTP access to be able to trace through his code, in case the problem doesn't happen on my clean copy.)

Ah, and finally -- the biggest issue right now is with my server: it was down for 3 hours this morning because of CPU abuse. I think I've had an attack or something, because I actually had less traffic according to my stats... So, I've been discussing with a friend and I'll be moving noisen.com to a new server. Hopefully it won't take too much time to do.
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 09, 2010, 02:20:07 PM
I'm also waiting on feedback from Lorenzo (I asked him for FTP access to be able to trace through his code, in case the problem doesn't happen on my clean copy.)
Sent! ;)
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Norv

I knew this was going to be trouble. But hey, you wanted it, you didn't have to take the hardest bug on our list for yourself, that's ... selfish, I say! :D :D :D
I just have this feeling you kinda like the challenge...

(sorry to hear about your server btw)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Nao 尚

@Lorenzo> Got it... Will look into it tomorrow. Tonight I... I was... I was watching Glee. OMG people are gonna throw eggs at me now. My girlfriend made me do it, I swear!

Quote from: Norv on June 09, 2010, 02:43:45 PM
I knew this was going to be trouble. But hey, you wanted it, you didn't have to take the hardest bug on our list for yourself, that's ... selfish, I say! :D :D :D
Oh... I'm pretty sure there are harder bugs than this one!
Heck, I haven't even looked at the entire list of 60 bugs. I always have trouble keeping up.

QuoteI just have this feeling you kinda like the challenge...
Not really... What I like is when I beat it, eheh.
I only hope that it's not a false hope we have here: (1) specific server configuration or (2) a 'fix' that introduces (or cancels out) another security fix.

Quote(sorry to hear about your server btw)
Well, it was long overdue I guess... I just would have appreciated that it crashed in April instead, back when I was living the sweet days of not having to work on SMF.  ::)
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 09, 2010, 06:12:50 PM
I only hope that it's not a false hope we have here: (1) specific server configuration or (2) a 'fix' that introduces (or cancels out) another security fix.
I've tried it on another server/host and I reproduced the same behavior.. :(

Quote from: Nao on June 09, 2010, 06:12:50 PM
I was watching Glee. OMG people are gonna throw eggs at me now. My girlfriend made me do it, I swear!
Hahahah!! ;D
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

I'm dead!!!

Oh, btw, I reproduced the bug on a fresh install of the latest svn, with two different subdomains, using the same setup (ie the SSI subdomain is in a folder inside the main subdomain.)
So, it's definitely not a problem with your server. It'll be easier for me to deal with (as it's a test server), I won't be needing your ftp details again. (I only use other people's ftp details as a last resort.)
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Nao 尚

I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 09, 2010, 06:49:36 PM
Oh, btw, I reproduced the bug on a fresh install of the latest svn, with two different subdomains, using the same setup (ie the SSI subdomain is in a folder inside the main subdomain.)
So, it's definitely not a problem with your server. [...]
Well.. it's a bad/good news... Bad because means it's definitely a bug, good because you can analyze it better! :)
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Okay.... Some more news. Could be good for you (a fix) and bad for me (no way to determine what causes the fix.)

Yesterday, I didn't spend a LOT of time on this bug, I simply made sure to reproduce the setup exactly, etc, made several attempts, then upgraded my test site to the latest SVN, noticed a few glitches and switched to fixing other issues.

This morning -- I'm back on it. Took me some time to get my mind ready because, well... It's a big one.

So... I went to http://ssi dot geez dot fr/ and typed in my user name & password to get the error to happen again and check some logs.
It frigging worked.
Went back to the SSI page, refreshed: was logged in. Clicked logout: was logged out without issues.

Okay... Here's the thing. *I didn't change anything to it*!!!
All I did was upgrade my SVN copy from May 28 to June 9 just so I could test my changes. That's all!
So. Did I fix the bug recently without noticing? I don't think so. Did I fix it in the SVN these last few weeks in an unrelated fix, and forgot to upload related files to my site? Unlikely, but possible.

I tried with IE8, same thing. It worked...
I tried with Chrome, which I'd never used on geez dot fr, and it worked, so it means it is not something that magically fixes itself after several login attempts.

Can you confirm, Lorenzo?

To anyone else: did you recently (i.e. less than a month) try to reproduce the bug on your test setups, with similar results? Did you retry recently? (i.e. these last few days)
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

It doesn't fix automatically.. it's since I upgraded to rc3 from rc2 that I reproduce it (every browser, also in "private mode" so cache is empty) and it never fixes magically!

Another test you can try: call boardNews in the ssi page (display the latest topic from a board), then visit the ssi page when you're logged in, links will work as expected and will bring you to the right topic. Then logout and visit the ssi page again. You should notify that boardNews links are not working and you're redirected to the board index instead of the expected topic. This behavior is related to this bug because if you take a look at the boardNews links (ONLY IF YOU'RE LOGGED OUT), they are "strange"..

Sorry if my explanation isn't clear but it's difficult to explain! :P
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Quote from: MultiformeIngegno on June 11, 2010, 06:54:04 AM
It doesn't fix automatically.. it's since I upgraded to rc3 from rc2 that I reproduce it (every browser, also in "private mode" so cache is empty) and it never fixes magically!
You didn't tell me if ssi dot geez dot fr works for you now...?
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 11, 2010, 07:12:50 AM
Quote from: MultiformeIngegno on June 11, 2010, 06:54:04 AM
It doesn't fix automatically.. it's since I upgraded to rc3 from rc2 that I reproduce it (every browser, also in "private mode" so cache is empty) and it never fixes magically!
You didn't tell me if ssi dot geez dot fr works for you now...?
I've tried to register but registration is disabled.. is there a test user?
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Advertisement: